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available  information  lead  to  small  perturbations  in  correctness  conditions. 

This  work  is  novel,  because  there  has  been  very  little  previous  success  in 
stating  interesting  properties  which  are  guaranteed  by  nonserializable  systems. 
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I.  Introduction 


l.l.  Background 

In  recent  years,  there  has  been  extensive  research  on  the  design  and  theory  of  distributed  databases.  Nearly 
all  of  tli is  work  has  been  directed  towards  providing  frameworks  in  which  transactions  can  be  processed 
concurrently,  while  preserving  integrity  constraints  on  the  data.  Many  of  the  most  important  advances  in 
distributed  processing  have  arisen  from  this  work,  including  the  development  of  techniques  based  on  locking 
and  timestamps,  and  commit  protocols.  'ITic  work  has  led  to  elegant  system  designs,  as  well  as  to  a  very 
interesting  theory. 

It  is  apparent,  however,  that  there  is  still  a  problem.  The  techniques  developed  in  distributed  database 
research  have  not  yet  been  accepted  by  the  commercial  world  to  the  extent  that  researchers  might  have  hoped. 
In  particular,  airline  reservation  systems,  banking  systems  and  inventory  control  systems  (applications  which 
motivated  much  of  the  research),  still  do  not  rely  on  the  general  mechanisms  developed  by  researchers.  Ihc 
problem  may  be  fundamental  to  the  general  approach.  The  mechanisms  developed  in  research  guarantee 
preservation  of  integrity  constraints,  but  they  arc  inadequate  for  meeting  stringent  response  lime  and 
availability  requirements.  This  inadequacy  seems  to  be  an  unavoidable  result  of  strong  requirements  for 
synchronization  among  remote  nodes. 

Many  applications  of  the  sort  mentioned  above  put  a  high  premium  on  availability  and  fast  performance, 
and  in  order  to  obtain  these,  they  arc  willing  to  sacrifice  something  in  the  way  of  "correctness"  or  "data 
integrity".  Ihc  research  community  has  so  far  been  unable  to  provide  general  frameworks  which  guarantee 
weaker  correctness  conditions  as  well  as  good  performance  and  availability.  As  a  result,  practical  systems 
development  work  for  these  applications  is  still  based  on  ad  hoc  methods  of  concurrency  control. 

There  is  a  need  for  system  development  work,  as  well  as  associated  theory,  to  fill  this  gap.  New  frameworks 
arc  needed  which  guarantee  good  performance  and  availability,  yet  provide  enough  discipline  on  application 
programming  so  that  useful  correctness  claims  can  be  proved.  When  fast  response  time  and  high  availability 
arc  required,  it  seems  necessary  to  allow  violations  of  integrity  constraints  to  occur.  In  this  ease,  traditional 
frameworks  do  not  allow  anything  interesting  to  be  proved  about  the  behavior  of  the  system.  'Ihc  difficult 
part  of  the  problem  is  to  guarantee  interesting  and  useful  correctness  properties,  even  when  integrity 
constraints  are  violated. 


1.2.  SIIARD 

'ITic  new  SHARD  (System  for  Highly  Available  Replicated  Data)  system  under  development  at  Computer 
Corporation  of  America  (CCA)  is  designed  to  address  the  problems  described  above.  It  provides  highly 
available  distributed  data  processing  in  the  face  of  communication  failures  (including  network  partitions).  It 
docs  not  guarantee  scriali/ability.  nor  docs  it  preserve  integrity  constraints,  but  it  docs  guarantee  many 
practical  and  interesting  properties  of  the  database. 

'Hie  reader  is  referred  to  [SBKJ  for  a  detailed  description  of  the  architecture  of  the  SHARD  system.  Briefly, 
the  main  ideas  arc  as  follows.  The  network  consists  of  a  collection  of  nodes,  each  of  which  has  a  copy  of  the 
complete  database.  (Full  replication  is  a  simplifying  assumption  we  have  used  for  our  initial  prototype;  many 
of  our  ideas  seem  extendible  to  the  ease  of  partial  replication,  but  this  extension  remains  to  be  made.) 
Replication  allows  transactions  to  be  processed  locally,  thus  reducing  communication  costs  and  delays,  and 
providing  high  availability. 

After  a  transaction  is  processed  at  its  originating  node,  information  about  the  *  ansaction  is  broadcast 
reliably  to  all  the  other  nixies  for  incorporation  into  the  database  copies  at  those  nixies.  TTic  broadcast 
algorithm  [GI.BKSS]  ensures  that,  barring  permanent  communication  failures,  every  node  will  eventually 
receive  information  about  every  transaction.  While  the  broadcast  algorithm  attempts  to  deliver  information 
to  all  sites  in  as  timely  a  manner  as  possible,  communication  and  node  failures  can  cause  significant  delays. 
Since  nodes  may  continue  to  initiate  transactions  during  communications  failures  -  indeed,  they  may  not  even 
be  aware  that  there  is  a  failure  somewhere  in  the  network  -  these  delays  mean  that  transactions  may  ran 
against  out-of-date  database  states. 

When  a  node  receives  new  information  about  a  transaction,  no  matter  when  the  transaction  was  initiated, 
this  information  must  be  merged  into  the  node’s  copy  of  the  database;  this  merging  must  be  done  consistently 
at  all  nodes,  to  maintain  mutual  consistency.  The  following  mechanism  is  used  to  guarantee  consistent 
merging.  Transactions  arc  totally  ordered  by  a  globally-uniquc  timestamp  assignment  (such  as  one  based  on 
local  timestamps  with  node  identifiers  used  for  tiebreaking),  and  each  node  uses  this  total  ordering  to 
determine  how  to  merge  information  about  different  transactions.  Because  all  nodes  order  the  transactions  in 
the  same  way,  they  will  agree  on  the  result  of  merging  identical  sets  of  transactions.  Also,  at  all  times  during 
execution,  each  node’s  copy  of  the  database  always  reflects  the  effects  of  all  the  transactions  known  to  that 
node,  as  if  they  were  run  according  to  the  global  timestamp  order. 

Since  messages  about  different  transactions  could  arrive  at  a  single  node  out  of  timestamp  order,  keeping 
the  copy  correct  entails  frequent  undoing  and  redoing  of  transactions.  The  SHARD  system  uses  an  undo- 
redo  strategy  in  lieu  of  any  other  inter-node  concurrency  control  mechanism.  This  strategy  allows  the  nodes 


ui  achieve  mutual  consistency  without  relying  on  extra  network  communication.  There  arc  several 
implementation  ideas  which  reduce  the  amount  of  undoing  and  redoing  that  is  actually  necessary;  some  of 
these  arc  discussed  in  [HK.SKS]. 

Problems  arise  with  the  simple  scheme  described  so  far  in  its  interactions  with  the  external  world.  Certain 
transactions  will  trigger  external  actions.  For  example,  in  an  airline  reservation  system,  a  booking  transaction 
might  determine  that  there  arc  available  scats  on  a  flight,  and  might  cause  a  passenger  to  be  informed  that  he 
has  been  assigned  a  scat  Although  the  transaction  is  run  at  different  nodes,  and  possibly  undone  and  redone 
many  times,  the  external  action  should  only  occur  once  •  at  the  transaction's  origin  node,  when  the  transaction 
is  initiated. 

When  a  transaction  is  rerun  at  a  node,  it  may  be  necessary  to  undo  all  its  effects  before  redoing  it  starting 
from  a  different  database  state.  Iliis  requirement  is  a  serious  problem  for  transactions  which  trigger  external 
actions:  it  is  not  possible  for  the  system  to  undo  an  external  action.  Moreover,  when  the  transaction  is 
redone,  it  might  not  choose  to  trigger  the  same  external  action.  In  an  airline  reservation  system,  a  booking 
transaction  might  decide  to  inform  a  passenger  of  an  available  scat  when  the  transaction  is  initiated. 
I  lowcvcr,  if  this  booking  transaction  is  undone  and  then  redone  from  a  database  state  in  which  there  do  not 
appear  to  be  any  available  scats,  it  would  not  grant  the  scat.  Thus.  after  the  undo  and  redo,  the  database 
would  not  record  the  fact  that  the  passenger  had  been  granted  a  scat,  even  though  the  passenger  has  actually 
been  informed  that  a  scat  has  been  granted.  'Iliis  situation  produces  an  inconsistency  between  the 
information  in  the  database  and  the  information  sent  to  the  passenger.  We  would  like  to  avoid  this  kind  of 
inconsistency. 

Thus,  we  find  it  useful  to  limit  the  interaction  of  transactions  with  the  external  world,  by  imposing  some 
extra  structure  on  the  transactions.  We  require  that  all  transactions  be  divided  into  two  parts:  a  "decision”, 
which  may  read  data  and  trigger  external  actions,  but  may  not  modify  the  database,  and  an  "update”,  which 
may  read  and  write  the  database  but  may  not  trigger  external  actions. 

The  decision  part  of  a  transaction  is  invoked  only  when  the  transaction  is  initiated.  Iliis  part  of  the 
transaction  may  interact  with  the  user,  giving  some  indication  of  the  likely  outcome  of  the  completed 
transaction.  11k  results  returned  by  the  decision  determine  an  update,  which  is  then  broadcast  to  all  the 
nodes  to  be  merged  into  all  the  copies  of  the  database.  Only  the  update  is  broadcast  to  the  other  nodes.  The 
update  is  the  part  of  the  transaction  that  may  be  undone  and  redone;  the  decision  is  executed  only  once. 
Since  the  decision  involves  no  changes  to  the  database,  just  broadcasting  the  update  is  enough  to  insure 
mutual  consistency  of  the  database  copies. 
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In  (he  example  described  earlier,  (lie  decision  part  of  the  booking  transaction  could  read  the  database  at  the 
local  (initiating)  node  and  determine  whether  there  appear  to  be  available  seals.  IT  there  arc,  llic  decision 
would  inform  the  requesting  passenger  that  he  has  been  granted  a  seal,  and  would  also  cause  the  system  to 
invoke  an  update  that  writes  the  reservation  into  the  database.  When  the  update  is  received  by  the  other 
nodes,  the  reservation  is  also  entered  into  their  copies  of  the  database.  Thus,  every  node  would  correctly 
record  die  fact  that  the  passenger  was  granted  a  seal 

Because  of  the  distribution,  and  because  of  the  possible  need  for  undo  and  redo,  the  update  part  of  the 
booking  transaction  may  execute  many  times,  possibly  from  different  database  suites.  No  matter  what  suite  it 
is  executed  from,  the  update  records  the  facts  that  the  scat  was  assigned  and  the  passenger  was  informed  of 
the  assignment  'this  update  records  the  facts  correctly  even  if  it  is  executed  from  a  state  from  which  a 
booking  transaction  run  in  its  entirety  would  not  choose  to  grant  die  passenger  a  scat 

Because  decisions  arc  made  with  incomplete  information  about  the  updates  of  preceding  transactions,  it  is 
possible  that  the  database  could  reach  an  undesirable  suite.  c.g.  a  suite  in  which  a  flight  is  overbooked. 
However,  users  or  application  programmers  could  monitor  the  database  with  additional  "compensating" 
transactions,  which  invoke  appropriate  corrective  actions.  In  this  example,  a  transaction  might  check  for 
overbooking,  and  decide  on  a  particular  passenger  U>  unseat  'Hie  decision  part  of  this  transaction  would 
inform  the  passenger  that  his  reservation  has  been  rescinded.  The  update  would  just  record,  in  the  database, 
the  fact  that  the  particular  passenger  has  been  unseated.  Of  course,  applications  should  be  designed  to  avoid 
an  excessive  amount  of  compensation.  The  correctness  conditions  described  in  this  paper  should  help  to 
provide  application  designers  with  guidelines  for  coping  with  these  and  other  problems  caused  by  a  lack  of 
scrializability. 

A  preliminary  design  for  SHARI)  has  been  completed,  and  is  documented  in  [BK,GI.BKSS,S,SBK,SKS], 
Also,  a  prototype  implementation  Is  completed. 

1 3.  Correctness  Conditions 

'Hie  SHARI)  system  can  be  implemented  efficiently,  and  seems  capable  of  expressing  the  kinds  of 
transaction  behavior  actually  used  in  commercial  systems.  However,  if  the  system  is  going  to  be  widely  used, 
it  should  be  possible  to  make  precise  claims  about  its  behavior,  lliis  paper  provides  a  formal  setting  in  which 
such  claims  can  be  made,  and  uses  that  framework  to  prove  some  interesting  claims  about  SHARD's 
behavior. 

It  should  be  dear  that  SHARI)  docs  not  guarantee  scrializabifity  of  complete  transactions.  It  does 
guarantee  scriali/ability  of  the  update  parts  of  transactions,  but  that  condition  by  itself  docs  not  say  very 
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much.  Wc  believe  Chat  we  can  say  mure  about  what  is  guaranteed  by  such  a  system  titan  just  what  we  can 
conclude  from  its  weak  scrialixability  properties. 

Wc  take  our  cue  from  some  of  the  intended  applications  of  the  system,  such  as  airline  reservations,  banking, 
and  inventory  control.  Ihcsc  exemplify  different  kinds  of  resource  allocation  applications.  In  all  these  eases, 
there  arc  natural  integrity  constraints  which  one  would  want  to  define;  these  arc  usually  expressed  as 
predicates  on  the  database  suites.  In  resource  allocation  applications,  one  useful  integrity  constraint  would  be 
that  the  number  of  allocated  resources  be  no  greater  than  the  number  of  available  resources.  Another  would 
be  that  the  number  of  allocated  resources  be  no  less  than  the  number  of  available  resources,  provided  there 
arc  enough  requests  for  resources.  Both  of  these  conditions  arc  described  by  predicates  on  the  database  state. 

However,  one  can  go  further;  there  is  often  a  "cost"  associated  with  violations  of  an  integrity  constraint, 
which  can  be  expressed  as  a  function  of  the  database  state.  In  resource  allocation  applications,  die  cost  of 
over-allocation  might  be  some  number  which  is  proportional  to  the  excess  of  die  number  of  allocated 
resources  over  the  number  of  available  resources.  'Ihc  cost  of  unnecessary  under-allocation  might  be 
proportional  to  the  minimum  of  the  number  of  unsatisfied  requests,  and  die  excess  of  the  number  of  available 
resources  over  the  number  of  allocated  resources.  Kach  of  the  applications  listed  has  its  own  particular  cost 
functions,  characteristic  of  that  application.  In  each  case,  it  is  desirable  to  keep  the  costs  as  low  as  possible. 

’Ilius.  one  kind  of  property  wc  would  like  to  prove  is  a  bound  on  the  cost  of  violations  of  integrity 
constraints.  Results  of  the  form  "With  absolute  certainty,  the  cost  remains  at  most  c."  would  be  unreasonably 
strong  in  our  setting,  because  of  the  uncertainty  that  arises  from  delays  and  failures.  Rather,  it  seems  much 
more  appropriate  to  prove  results  of  the  form  "With  probability  p.  the  cost  remains  at  most  c."  Results  of  this 
form  would  be  very  useful  to  the  application  designer,  since  they  would  allow  him  to  adjust  his  design  in  such 
a  way  as  to  lower  the  expected  cost  bound. 

We  believe  that  results  of  this  form,  arc  most  conveniently  proved  in  two  parts:  (1)  conditional  results  of 
the  form  "If  certain  conditions  hold,  then  the  cost  remains  at  most  c".  and  (2)  probability  distribution 
information  describing  the  probability  that  the  conditions  hold.  Most  often,  the  conditions  mentioned  in  (l) 
will  be  parametrized,  c.g.  "When  each  transaction  is  initially  executed,  the  database  state  includes  the  effects 
of  all  but  at  most  k  of  certain  kinds  of  preceding  transactions."  Similarly,  the  cost  mentioned  in  the 
conclusion  of  (1)  will  be  parametrized.  'Ilius,  results  of  type  (1)  will  usually  be  a  class  of  related  results,  giving 
cost  bounds  for  a  range  of  quantitatively  different  assumptions  about  system  operation.  The  probability 
distribution  information  in  (2)  will  be  obtained  by  an  independent  analysis,  using  information  such  as  delay 
characteristics  of  the  message  system,  and  expected  rates  of  transaction  processing.  It  should  be  relatively  easy 
to  combine  the  information  in  (I)  and  (2)  to  get  probabilistic  statements  of  the  kind  wc  want  In  this  paper. 
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wc  do  not  carry  out  the  probabilistic  analysis  required  in  (2),  but  instead  focus  on  the  parametrized 
conditional  claims  in  (1). 

Thus,  wc  obtain  results  of  the  form  "If  each  transaction  "sees”  all  but  at  most  k  of  certain  kinds  of 
preceding  transactions,  then  the  cost  remains  at  most  c(k).”  Such  cost  bounds  limit  the  damage  which  can  be 
caused  when  transactions  operate  with  a  bounded  amount  of  missing  information.  Hie  cost  bounds  wc  obtain 
arc,  in  general,  intuitively  natural,  rather  than  extremely  surprising;  our  main  contribution  lies  in  the  fact  that 
wc  can  actually  formulate  and  prove  the  intuitive  claims.  Previously,  no  claims  at  all  could  be  made  when 
infomiation  about  any  transactions  was  missing.  Wc  can  make  such  claims,  and  our  claims  become  stronger 
(i.e.  the  integrity  constraints  are  better  preserved)  when  information  is  more  complete  (i.c.  when  execution  is 
closer  to  being  serializable).  In  contrast  to  scriali/nbilily's  all-or-nothing  character,  our  work  has  a 
"continuous”  flavor;  small  changes  in  available  infomiation  lead  to  small  perturbations  in  integrity 
constraints. 
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The  question  of  how  die  costs  get  defined  still  remains  to  be  addressed.  Assignment  of  costs  is  something 
that  must  be  done  by  application  programmers,  who  understand  die  impact  of  database  behavior  on  the 
organization  using  the  system.  It  is  likely  diat  die  cost  assignment  procedure  will  be  complex  and 
approximate.  Nevertheless,  it  appears  to  be  what  is  currently  used  by  organizations,  implicitly,  in  evaluating 
the  acceptability  of  database  system  behavior.  'ITicrcforc,  it  seems  diat  such  cost  assignments  should  play  an 
important  role  in  evaluating  database  behavior. 

Another  kind  of  property  which  is  of  interest  for  resource-allocation  applications  is  "fairness”.  Fairness 
properties  describe  conditions  under  which  a  particular  request  is  guaranteed  to  be  granted,  or  guaranteed  not 
to  be  granted.  Ibcy  also  deal  with  relative  priority  of  different  requests  in  obtaining  resources.  While  FIFO 
order  might  be  an  appropriate  fairness  condition  in  a  serializable  system,  weaker  fairness  conditions  arc  more 
appropriate  in  the  SHARD  setting,  and  arc  still  of  interest. 

In  this  paper,  wc  begin  by  providing  the  basic  definitions  and  vocabulary  for  discussing  the  operation  of 
systems  of  this  type.  'ITicn,  following  the  usual  organization  in  traditional  concurrency  control  theory,  wc 
study  the  correctness  conditions  in  two  groups.  First,  wc  examine  conditions  which  can  be  guaranteed  by  die 
system  alone  (analogous  to  scrializability).  'Ilic  system  docs  guarantee  to  run  transactions  in  some  total  order. 
Rut  whereas  scrializability  would  guarantee  that  each  transaction  has  total  infomiation  about  the  effects  of  the 
preceding  transactions,  the  SHARI)  system  only  guarantees  that  each  transaction  has  partial  infomiation 
about  die  preceding  transactions.  Second,  wc  examine  conditions  which  can  be  guaranteed  by  die 
transactions  (analogous  to  preservation  of  integrity  constraints).  Transactions  might  be  required  not  just  to 
preserve  integrity,  but  also  to  improve  or  restore  integrity.  'Ihcsc  two  kinds  of  conditions,  those  guaranteed 
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by  die  system  and  those  guaranteed  by  die  transactions,  can  be  combined  to  allow  proof  of  interesting 
properties  (cost  bounds  and  fairness)  for  a  running  application. 

We  describe  our  properties  and  carry  out  our  proofs  in  die  context  of  a  simple  prototypical  resource 
allocation  example.  We  believe  dial  this  example  contains  many  of  the  elements  common  to  the  class  of 
applications  for  which  SHARI)  is  suited.  The  types  of  conditions  stated  and  die  techniques  for  proving  dicir 
correctness  appear  likely  to  extend  to  the  other  applications.  Wherever  possible,  we  state  conditions  and 
describe  proofs  in  a  general  way,  so  that  they  will  be  directly  applicable  to  other  applications. 

Related  work  includes  several  other  papers  which  weaken  scriali/ability  in  various  ways  [l-'M,  AM,  G.  I),  for 
example].  Other  work  that  seems  related  to  die  SHARI)  approach,  although  in  a  very  different  context,  is  die 
work  on  "virtual  umc"  (J). 

'Ihc  rest  of  the  paper  is  organized  as  follows.  In  Section  2.  we  describe  our  database  model.  In  Section  3, 
we  describe  conditions  that  can  be  guaranteed  by  the  system  alone.  In  Section  4,  we  describe  conditions  that 
can  be  guaranteed  by  the  transactions  alone.  In  Section  S,  we  prove  some  interesting  cost  bound  and  fairness 
properties  for  the  example  resource  allocation  system.  'Ihcsc  properties  arc  consequences  of  both  the 
conditions  guaranteed  by  the  system  and  those  guaranteed  by  the  transactions.  In  Section  6,  we  present  our 
conclusions. 

2.  Database  Model 

This  section  includes  formal  definitions  of  database  states,  integrity  constraints,  and  transactions. 

One  goal  of  the  SHARI)  design  is  to  keep  the  distribution  and  replication  of  data  hidden  from  the 
application.  In  particular,  we  attempt  to  a"<vd  explicit  mention  of  distribution  and  replication  in  our 
correctness  conditions.  Our  general  approach  is  analogous  to  the  usual  approach  for  describing  correctness  of 
distributed  databases  (IlG,  for  example].  In  the  usual  approach,  correctness  of  a  distributed  database  requires 
that  die  distributed  database  give  the  appearance  of  a  centralized,  serial  database.  In  our  case,  the  database 
will  not  appear  to  be  serial,  but  will  still  appear  to  be  centralized. 

In  other  database  research,  certain  consistency  conditions,  called  "integrity  constraints,”  arc  given  for  the 
database  states.  These  conditions  fit  into  our  model  in  two  ways.  ‘Ihc  most  fundamental  arc  modelled  as 
"well-formedness”  conditions:  we  will  require  that  transactions  always  preserve  these.  The  other  consistency 
conditions,  which  we  call  "integrity  constraints,"  represent  desirable  conditions,  but  we  do  not  assume  that 
they  arc  preserved  at  all  times.  To  measure  how  far  a  database  state  is  from  satisfying  the  integrity  constraints, 
we  impose  cost  measures  on  the  suites  with  respect  to  each  constraint,  where  a  greater  cost  indicates  that  die 
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state  is  further  from  satisfying  the  constraint.  One  goal  of  SI  IARI)  is  to  minimize  the  cost  of  stales  that  arise 
during  an  execution. 

Our  transactions  arc  composed  of  two  parts,  a  "decision  part"  and  an  "update."  As  described  in  the 
Introduction,  the  decision  part  reads  data  and  may  interact  with  the  external  world,  hut  docs  not  modify  the 
database,  'lhc  results  returned  by  the  decision  part  determine  an  update,  which  can  read  and  write  the 
database,  but  docs  not  directly  interact  with  the  external  world. 

In  addition  to  providing  general  definitions  in  this  section,  we  also  define  an  airline  reservation  example, 
with  four  transactions.  'ITus  example  will  be  used  throughout  the  rest  of  the  paper. 

2.1.  States 

lhc  database  has  a  set  S  of  possible  database  states .  among  which  a  particular  initial  stale  sfl  is  distinguished. 
There  might  be  some  additional  structure  on  die  database;  for  example,  it  might  be  composed  of  a  collection 
of  objects ,  where  a  state  would  consist  of  a  value  for  each  object.  In  ease  X  is  an  object,  we  let  X(s)  denote  the 
value  of  object  X  in  database  state  s. 

Among  the  database  states,  there  may  be  some  which  fail  to  satisfy  some  fundamental  consistency 
conditions,  and  we  will  generally  want  to  omit  them  entirely  from  consideration.  ’Ihcreforc,  we  designate 
certain  of  the  database  states  as  well-formed.  We  assume  that  the  initial  state  is  well-formed. 

Example: 

Fly-by-Night  Airlines  is  a  little-known  airline  company  which  has  exactly  one  scheduled  flight. 
Flight  1.  Flight  1  is  scheduled  to  take  off  next  Jan.  1  and  will  take  its  lucky  100  passengers  from 
lloston  to  an  idyllic  resort  in  the  Caribbean. 

A  database  state  consists  of  the  following  objects: 

-  ASSIGN  HI)—  LIST,  a  finite  ordered  list  of  people  who  have  been  notified  that  they  have 
scats  on  Flight  I,  and 

-  WAIT- 1 .1ST,  a  finite  ordered  list  of  people  who  have  requested  scats  on  Flight  1,  but  do  not 
have  assigned  scats. 

'lhc  initial  state  has  both  lists  empty,  'lhc  well-formed  states  arc  those  which  satisfy  the 
fundamental  consistency  condition  that  ASSIGNHD— FIST  and  WAIF- FIST  must  contain 
disjoint  sets  of  people. 

We  use  the  notation  AF(s)  as  a  shorthand  for  |ASSIGNKD—  I  .IS' T(s)|,  the  number  of  people  on  the 
assigned  list  in  state  s;  similarly,  we  use  Wl.(s)  for  |WAIT-I.IST(s)|.  We  will  sometimes  refer  to  AF  and  WF 


as  ir  they  were  objects  themselves;  they  arc  similar  to  objects,  in  that  they  have  values  in  every  database  suite. 
However,  those  values  arc  always  derived  from  the  values  of  the  "real"  objects,  ASSIGNKD— LIST  and 
WAIT— LIST. 

12.  Integrity  Constraints 

For  us,  "integrity  constraints"  represent  desirable  conditions,  but  we  do  not  assume  that  they  arc  preserved 
at  all  times.  Since  integrity  constraints  arc  not  always  preserved,  we  find  it  useful  to  measure  how  far  a 
database  state  is  from  satisfying  the  integrity  constraints.  In  order  to  do  this,  we  impose  nonnegative  real- 
valued  cost  measures  on  the  states  with  respect  to  each  constraint,  where  a  greater  cost  indicates  dial  the  state 
is  further  from  satisfying  the  constraint.  A  cost  of  zero  indicates  that  the  constraint  is  satisfied.  The  total  cost 
of  a  suite  is  the  sum  of  the  costs  associated  with  all  the  constraints.  One  goal  of  SHARI)  is  to  minimize  the 
cost  of  states  that  arise  during  an  execution. 


More  precisely,  we  assume  a  finite  collection  of  integrity  constraints,  indexed  by  the  set  I.  IjCt  cosifxi) 
denote  the  cost  of  database  suite  s  which  is  attributed  to  a  violation  of  integrity  constraint  i.  The  cost  of  s. 
cosifs),  is  then  defined  as  Z^costfci) 

We  use  die  notation  X  /.  Y  to  denote  max(X-Y,0). 

Example: 

In  the  Fly-By-Night  airline  reservation  system,  there  arc  two  integrity  constraints  in  addition  to 
the  well-formedness  condition  already  described. 

Integrity  Constraint  1:  Overbooking  should  not  occur. 

Formally,  this  says  that  Al.  <  100.  While  this  condition  is  certainly  desirable,  we  do  not 
expect  that  it  will  always  hold.  If  Flight  1  is  overbooked,  the  cost  to  Fly-by-Night  Airlines  is 
approximately  $900  per  overbooked  passenger,  flliis  cost  covers  the  price  of  a  first-class  ticket  on 
an  alternative  flight,  plus  hotel  accomodations  for  a  week  in  the  Caribbean.)  Thus.  we  define 
cost(s,l),  the  cost  of  state  s  which  is  attributed  U)  violating  constraint  1.  to  be  900  (AMs)  /.  100). 

Integrity  Constraint  2:  Underbooking  should  not  occur,  if  it  is  avoidable. 

Formally,  this  says  that  either  AL  >  100  or  else  WL  =  0.  That  is.  either  all  the  scats  on  Flight 
1  arc  assigned  or  else  there  arc  no  waitlisted  passengers.  If  Flight  1  is  unnecessarily  underbooked, 
the  cost  to  the  airline  company  is  approximately  $300  for  each  waitlisted  passenger  who  could  have 
been  assigned  a  scat  flbis  is  the  missed  profit.)  Thus,  we  define  cost(s,2),  the  cost  of  state  s  which 
is  attributed  to  violating  constraint  1  to  be  300  min(100  /.  AMs).  WMs)). 


The  assignment  of  costs  to  database  states,  for  violation  of  particular  integrity  constraints,  is  a  part  of 


application  design.  In  practice,  it  might  not  always  be  obvious  how  to  assign  such  costs.  It  is  possible  that  the 
system  could  help  the  application  designers,  by  providing  a  framework  in  which  the  designers  could 
determine  appropriate  cost  functions.  Cost  functions  often  summarize  other  information  which  the 
application  designers  might  find  it  easier  to  think  about.  For  instance,  in  many  interesting  eases  (such  as  the 
airline  reservation  system),  the  data  is  numerical,  and  the  cost  functions  have  some  simple  (c.g.,  linear) 
relationship  to  the  data  values.  Perhaps  patterns  such  as  this  one  could  be  incorporated  into  a  language  for 
describing  cost  assignments.  Systematizing  cost  assignments  is  a  subject  for  future  research. 

23.  Transactions 

In  this  subsection,  we  describe  the  structure  of  transactions.  As  noted  earlier,  our  transactions  arc  composed 
of  two  parts,  a  "decision  part"  and  an  "update".  'lT»c  decision  part  reads  data  and  may  interact  with  the 
external  world,  but  docs  not  modify  the  database.  The  results  returned  by  the  decision  part  determine  an 
update,  which  can  read  and  write  the  database,  but  docs  not  directly  interact  with  the  external  world. 

Formally,  an  update  is  any  mapping  from  S  to  S  which  preserves  well-formedness.  Let  -4.  denote  the  set  of 
updates.  Ijct  6  denote  the  set  of  external  actions.  A  transaction  'I'  consists  of  a  decision  part  I).,.  which  is  a 
mapping  from  the  state  set  S  to  JL  X  9(6).  For  any  database  state  s,  D.((s)  is  a  pair  consisting  of  the  update 
which  is  invoked  when  T  is  run  from  s.  and  the  set  of  external  actions  triggered  by  T  when  T  is  run  from  s. 
Where  no  confusion  is  likely,  we  will  sometimes  write  D-f(s)  to  denote  just  the  update,  ignoring  the  external 
actions. 

A  transaction  is  designed  to  execute  nonatomically;  it  "observes"  some  state  of  the  database  when  it  is 
initially  run,  but  then  later  it  transforms  other,  possibly  different,  states.  The  observation  of  the  database 
takes  place  in  the  decision  part  and  the  state  transformation  in  the  update  part  Hach  of  these  two  parts  is 
intended  to  be  carried  out  atomically.  The  state  that  a  transaction  observes  is  to  be  thought  of  as  embodying 
partial  information  about  past  updates,  such  as  the  information  known  at  the  local  site  at  the  time  the 
transaction  is  first  executed.  This  partial  information  is  used  to  decide  on  the  new  update  to  be  generated. 

Ex ample: 

The  airline  reservation  system  has  only  four  transactions:  a  RKQUKST  for  a  scat  which  puts 
the  passenger  on  the  waiting  list,  a  CANCHL  transaction,  a  MOVE-  UP  transaction  which  moves 
a  waitlisted  passenger  to  the  assigned  list,  and  a  corresponding  MOVE-  DOWN  transaction  which 
moves  an  assigned  passenger  back  to  the  waiting  list.  Note  that  we  arc  departing  slightly  from  the 
example  discussed  in  the  Introduction:  the  effects  of  the  booking  transaction  described  there  are 
achieved  by  a  combination  of  a  REQUEST  transaction  and  a  MOVE-  UP  transaction. 

Hie  four  transactions  arc  as  follows: 
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(I)  RliQUKST(P).  where  P  is  a  person 


'Hi is  transaction  is  described  by  the  following  program. 

Decision:  TRUK 
Action: 

if  P  is  not  on  WAIT— 1.IST  and  P  is  not  on 
ASSIGNKI) — LIST 
then  add  P  to  end  of  WAIT—  LIST 

This  program  is  to  be  interpreted  as  follows.  For  any  state  s,  the  decision  mapping 
I^Ri-jOUiSTti’)  lr*8*crs  no  external  action  and  invokes  the  same  update  A.  A  operates  on  any  slate  s' 
by  adding  P  to  the  WAIT—  LIST  provided  that  P  is  not  already  on  either  the  WAIT- 1. 1ST  or  the 
ASSIGNED- LIST,  in  s’.  In  ease  P  is  on  either  list  in  s’.  A  docs  nothing.  We  refer  to  the  unique 
update  A  invoked  by  the  RKQUKST(P)  transaction,  as  the  request(P)  update. 

(2)  CANCKUP).  where  P  is  a  person 

This  is  described  by  the  following  program. 

Decision:  TRUK 
Action: 

if  Pis  on  WAri—  LIST 

then  remove  P  from  WAIT—  LIST 
if  P  is  on  ASSIGNKD— LIST 

then  remove  P  from  ASS1GNEI>-UST 

Again,  from  any  state  s,  the  decision  mapping  always  yields  the  same  update.  This  update, 
from  any  state  s’,  removes  P  from  any  list  on  which  it  happens  to  appear.  If  P  is  not  on  either  list, 
the  update  docs  nothing.  We  refer  to  the  unique  update  invoked  by  the  CANCKUP)  transaction, 
as  the  cancel(P)  update. 

Ihc  decision  parts  of  the  RKQUKST  and  CANCF.I.  transactions  do  not  perform  any 
interesting  work:  they  always  invoke  the  same  update,  and  trigger  no  external  actions.  On  the 
other  hand,  the  following  two  transactions  have  decision  parts  that  invoke  different  updates  in 
different  situations,  and  they  sometimes  trigger  external  actions. 

(3)  MOVK—  UP 

Decision:  Al.  <  100  and  Wl.  >  0  and  P  is  the  first  person 
on  WArr—  LIST 

Kxtcmal  event:  inform  P  that  P  is  now  assigned  a  scat 
Action: 

if  P  is  on  WAIT— LIST 
then 

[remove  P  from  WAN’— LIST 
add  P  to  end  of  ASSIGNKD-LlSi] 

Here,  the  decision  part,  running  from  state  s,  tests  to  see  whether  there  is  room  on  the 
ASSIGNKD- LIST  and  a  person  wailing  to  be  assigned.  If  not,  no  action  is  taken.  If  so,  the 
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decision  part  selects  a  particular  person  P  (the  first  on  the  WAIT- 1 .1ST  in  state  s)  to  be  moved  up 
from  the  WAIT-I.IST  to  the  ASSIGNKD- LIST.  A  message  is  sent  to  P,  and  the  update  is 
parametrized  by  P.  From  any  state  s’,  the  update  moves  P  from  the  waiting  list  to  the  end  of  the 
assigned  list,  provided  that  P  is  actually  on  the  waiting  list  in  s’.  Otherwise  (i.c.  if  P  is  already  on 
the  assigned  list,  or  P  is  on  neither  list),  no  change  occurs.  We  refer  to  the  update  generated  by  the 
MOVK-  UP  transaction  when  it  selects  person  P  as  the  move-  up(P)  update. 


(4)  MOVK— DOWN 


Decision:  Al.  >  100  and  P  is  the  last  person  on 
ASSIGNKD — LIST 

Kxtcmal  event:  inform  P  that  P  is  now  waitlisted 
Action: 

if  P  is  on  ASSIGNKD— LIST 
then 

Iremove  P  from  ASSIGNKD— 1 .1ST 
add  P  to  end  ofWAlT— I.ISI] 


The  meaning  of  this  transaction  is  symmetric  with  the  preceding  one.  We  refer  to  the  update 
invoked  by  the  MOVK—  DOWN  transaction  when  it  selects  person  P  as  the  move-down(P) 
update. 


It  is  clear  that  all  the  updates,  for  all  four  transactions,  preserve  well-formedness,  as  required. 


Note  that  each  of  the  last  two  transactions  contains  two  conditionals.  1110  two  conditionals  play  different 
roles.  The  first  conditional  in  each  ease  is  used  to  decide  which  update  and  external  actions  will  occur.  The 
second  is  part  of  the  execution  of  the  update.  Also  note  that  the  transactions  arc  designed  to  observe  the 
database  state  more  than  once.  For  example,  in  the  MOVK- DOWN  transaction,  the  transaction  looks  at 
ASSIGNKD-  LIST  in  one  state  s  in  order  to  attempt  to  select  a  person  P  to  move  down.  Then  whenever  the 
movc-down(P)  update  is  executed,  it  looks  at  ASSIGNKD- LIST  in  another  state  s’  to  determine  whether  to 
actually  move  P. 


We  consider  this  airline  reservation  system  to  be  a  prototype  of  a  much  more  general  class  of  resource 
allocation  systems.  It  seems  that  practically  all  resource  allocation  systems  must  have  operations  of  the  four 
kinds  described  above:  operations  that  request  resources  and  cancel  those  requests,  as  well  as  operations  that 
allocate  and  deallocate  the  resources.  Those  operations  will  behave  in  somewhat  different  ways  for  each 
application.  Here,  to  be  specific,  we  have  made  a  particular  set  of  choices,  but  we  expect  that  many  of  the 
ideas  in  this  paper  will  carry  over  to  other  resource  allocation  systems. 


We  introduce  some  additional  notation  which  will  be  useful  later  for  describing  transactions.  If  the  first 
component  of  D.,(s)  is  an  update  which  maps  state  s’  to  state  s”,  we  will  write  T(s,s’)  =  s  ’.  If  T(s,s’)  =  s",  it 
means  that  if  T  is  initially  run  from  state  s,  it  causes  the  system  to  invoke  an  update  which,  if  it  is  ever  run 
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from  state  s’,  will  produce  state  s”. 


3.  Conditions  Guaranteed  by  the  System 

'lliis  section  describes  conditions  that  can  be  guaranteed  by  the  system  alone,  i.c.  conditions  on  how  the 
system  will  run  the  transactions,  loiter,  in  Section  4.  we  describe  conditions  that  can  be  guaranteed  by  the 
transactions  alone.  Then  in  Section  S,  we  combine  these  two  kinds  of  conditions  to  prove  properties  of  an 
application  (the  Kly-by-Night  Airline  Reservation  System)  running  on  the  system. 

This  approach  is  roughly  analogous  to  the  usual  approach  in  ordinary  concurrency  control  theory.  There, 
the  scriali/ability  condition  (which  can  be  guaranteed  by  the  system  alone)  is  combined  with  (he  condition 
that  individual  transactions  preserve  integrity  (which  can  be  guaranteed  by  the  transactions  alone),  to 
conclude  that  reachable  database  states  all  satisfy  the  integrity  constraints. 

The  first  subsection  formally  describes  the  basic  guarantees  made  by  SHARI)  about  the  way  in  which 
transactions  arc  run.  SHARI)  guarantees  that  there  is  some  serial  order  for  the  transactions  which  it  runs. 
Ilic  system  docs  not  guarantee  scriali/ability  of  the  transactions  in  this  order,  but  it  docs  guarantee  that  each 
transaction  "secs”  the  result  of  some  subsequence  of  die  preceding  transactions.  While  this  condition  is 
fundamental  to  the  semantics  of  the  system,  it  is  too  weak  to  allow  proof  of  interesting  properties. 

The  second  subsection  contains  refinements  of  the  basic  condition.  Kxamplcs  of  these  refinements  are 
transitivity  and  some  specific  requirements  on  the  subsequences  of  transactions  seen  by  certain  other 
transactions.  'Ilic  third  subsection  describes  implementation  issues.  It  shows  how  SHARI)  and  similar 
systems  can  guarantee  the  conditions  described  in  the  other  two  subsections. 

3.1 .  The  Prefix  Subsequence  Condition 

’Ilic  system  guarantees  that  there  is  some  serial  order  for  the  transactions  which  it  runs,  and  that  each 
transaction  "secs”  the  result  of  some  subsequence  of  the  preceding  transactions  in  this  serial  order.  We  state 
this  condition  more  formally  below. 

if  s  is  any  sequence,  we  write  S|  to  denote  the  ith  clement  of  s.  An  execution  of  a  set  of  transaction  instances, 
consists  of  a  serial  ordering  T  for  the  transaction  instances,  together  with  a  sequence  A  of  updates,  a  sequence 
B  of  sets  of  external  actions,  a  sequence  9* of  finite  sequences  of  integers,  and  two  sequences,  s  and  t,  of 
database  states.  An  execution  is  required  to  satisfy  the  following  conditions. 

1.  For  i  2>  1, 9^  is  a  subsequence  of  the  prefix  sequence  {I, _ 

2.  For  i  ^  0,  t.  is  the  state  obtained  by  applying  the  sequence  of  updates  designated  by  9j+  ^  to  the 

initial  database  state  Sg.  ITiat  is.  t.  =  A(  (...A.  (Sg)),  where  9j+ ,  =  {i, . ik). 


4.  For  i  >  0.  each  s;  is  the  suite  obtained  by  applying  the  sequence  of  updates  Aj . Ajt  to  s0.  That  is, 

tj  ~  A-(...A  j(Sq). 

These  conditions  mean  the  following.  (1)  says  that  each  transaction  T  has  a  corresponding  subsequence 
of  its  prefix  of  preceding  transactions;  these  arc  the  preceding  transactions  that  it  "sees”.  (2)  says  that  each 
suite  tj  describes  the  effects  of  the  updates  of  T.  (’s  prefix  subsequence;  it  is  the  suite  of  the  database  which 
T,  +  |  "sees"  when  its  decision  part  is  run.  (3)  says  that  the  update  and  external  actions  produced  by  T.  arc 
determined  by  its  observed  suite  t_r  Finally,  (4)  says  that  the  suites  s.  describe  the  actual  effect  (not 
necessarily  observable  by  any  of  the  transactions)  of  running  the  complete  sequence  of  updates  generated  by 
all  transactions  through  T. 

The  system  guarantees  to  simulate  (in  some  sense  which  we  do  not  specify  here)  executions  of  those 
transactions  which  arc  submitted  to  it.  In  particular,  it  guarantees  that  die  external  actions  described  by 
sequence  H  arc  actually  performed. 

We  say  that  the  apparent  state  before  transaction  T.+ ,  is  t.,  and  that  the  apparent  slate  after  transaction  'I' 
is  suite  T.  +  jftj.tj).  Also,  the  actual  slate  before  transaction  T.  + ,  is  Sj.  and  the  actual  stale  after  transaction  T.  x 
is  state  sj+,  =  Tj+  ift^s.).  We  extend  this  noUiU’on  to  nonempty  consecutive  sequences  of  transactions  in 
place  of  single  transactions:  the  apparent  and  actual  states  before  die  sequence  arc  just  the  apparent  and 
actual  states,  respectively,  before  the  first  transaction  in  die  sequence,  while  the  apparent  and  actual  suites 
after  the  sequence  arc  just  the  apparent  and  actual  suites,  respectively,  alter  the  last  transaction  in  the 
sequence.  We  say  that  each  of  the  s.  is  reachable  from  Sg  in  the  given  execution.  We  call  the  state  st  l  the 
complete  prefix  stale  for  T.  in  the  given  execution. 

I.ct  *31  =  {i.i-f- 1. — }  be  a  sequence  of  consecutive  indices.  Then  'll  is  said  to  be  atomic  in  an  execution 
provided  that  the  following  hold,  (a)  Hach  Uj,  j  €  H,  includes  each  of  the  other  transactions  Uk,  k  €  *U.  k  <  j, 
in  its  prefix  subsequence,  and  (b)  all  transactions  Uj,  j  €  have  the  same  subset  of  the  transactions  with 
indices  less  than  i  in  their  prefix  subsequences.  Atomicity  describes  the  running  of  several  consecutive 
transactions  without  allowing  new  information  about  die  database  to  intervene. 

The  prefix  subsequence  condition  only  guarantees  that  each  transaction  sees  the  result  of  some  subsequence 
of  its  prefix.  Ihis  condition  docs  not  rule  out  trivial  solutions,  such  as  every  transition  seeing  the  initial 
database  state  (the  result  of  die  empty  subsequence).  In  order  to  insure  useful  behavior,  we  would  like  the 
system  to  allow  transactions  to  see  prefixes  which  arc  as  large  as  possible.  Some  refinements  of  the  prefix 
subsequence  condition  designed  to  insure  large  prefixes  arc  discussed  in  the  following  subsection. 


Example: 


This  example  shows  an  execution  of  the  transactions  From  the  airline  reservation  system,  acting 
non-scrializably,  but  according  to  the  prefix  subsequence  condition  specified  above,  '(he  left-hand 
column  lists  the  successive  T.,  while  the  right-hand  column  lists  the  corresponding  A;. 

T  A 


RKQUKSTfPl) 
MOVK— UP 
RKQUHST(P2) 
MOVH— UP 

RKQUKST(P102) 
MOVH— UP 
MOVH— IX)WN 
CANCHMPl) 


rcqucstfPl)  • 
move — up(Pl) 
rcqucst(P2) 
move—  up(P2) 

rcqucst(P102) 
move — up(P102) 
move — down(PlOl) 
canccl(Pl) 


This  execution  can  be  obtained  by  having  all  the  requests,  the  first  100  MOVH- UP 
transactions,  and  the  cancellation  operate  seeing  complete  prefixes.  The  next  two  MOVH—  UP 
transactions  operate  with  incomplete  prefixes.  The  first  sees  the  results  of  the  first  99  RHQUHS’I'S 
and  MOVH-  UPS.  plus  the  RHQUHST  for  PI01,  while  the  second  sees  the  results  of  the  first  99 
RHQUHSTS  and  MOVH-  UPS,  plus  the  RHQUHST  for  P102.  Since  each  observes  a  state  with 
only  99  people  on  the  assigned  list,  each  chooses  to  move  a  person  up.  Similarly,  the 
MOVK—  DOWN  operates  with  an  incomplete  prefix.  It  sees  the  results  of  the  first  202 
transactions  only,  but  not  the  results  of  the  two  transactions  involving  P102.  Thus,  it  secs  the 
assigned  list  with  101  people,  and  moves  P101,  the  person  it  observes  to  be  last,  down. 


Now  consider  the  successive  reachable  states  s..  The  state  after  the  first  204  transactions,  s^. 
has  102  people  on  the  assigned  list,  in  numerical  order,  and  no  one  on  the  waiting  list  After  the 

MOVK- DOWN,  has  P101  on  the  waiting  list  and  P1.P2 . P100.P102  in  order  on  the 

assigned  list  The  final  cancellation  then  leaves  the  assigned  list  with  exactly  100  passengers: 
P2 . P100.P102. 


This  execution  differs  from  a  serializable  execution  in  at  least  two  ways.  First  there  is  a 
reachable  state  (s^)  for  which  the  overbooking  cost  is  nonzero.  Second,  the  execution  is  not 
entirely  "fair"  in  that  PI02  requests  a  scat  after  P101  (and  his  request  is  processed  after  PlOl’s), 
but  PI02  is  allowed  to  remain  on  the  assigned  list  while  P101  Ls  moved  down. 


Notice  that  there  is  a  danger  of  "thrashing"  in  this  system.  If  a  MOVK-  UP  transaction  docs  not  see  a 
previous  request  and  corresponding  MOVH-  UP,  say  for  person  P,  it  may  move  another  person  Q  to  the 
assigned  list  A  later  MOVK- DOWN  transaction  might  operate  with  a  complete  prefix,  observe  an 
overbooking,  and  move  Q  down.  Another  MOVH- UP  might  then  execute,  seeing  the  movc-down(Q) 
update,  but  still  not  seeing  the  updates  missed  by  the  previous  MOVH-  UP;  it  may  then  reassign  Q.  A  later 
MOVK-  DOWN  might  then  move  Q  back  down,  and  so  on.  Ihis  kind  of  thrashing  is  very  undesirable,  not 


just  because  of  its  obvious  inefficiency,  but  because  of  the  external  effects  of  the  conflicting  transactions. 


3.2.  Additional  Conditions 

In  this  subsection,  we  suggest  some  conditions  which  say  that  particular  transactions  must  include  at  least 
certain  other  transactions  in  their  prefix  subsequences.  The  conditions  presented  here  arc  meant  to  be 
examples  only,  and  arc  not  necessarily  intended  to  hold  for  all  SHARI>likc  systems  and  all  transactions. 
'ITicsc  restrictions  arc  useful  in  guaranteeing  certain  properties  of  executions,  as  we  demonstrate  in  Section  5. 
On  the  other  hand,  they  reduce  system  availability.  System  and  application  designers  must  weigh  the 
correctness  gained  by  restricting  the  prefix  subsequences  against  the  reductions  in  availability. 


First,  we  say  that  execution  c  is  transitive  provided  that  the  following  condition  holds.  I.ct  T.  T  and  T"  be 
transactions  (i.c.  transaction  instances)  occurring  in  c.  If  T  is  in  the  prefix  subsequence  of  T  and  T’  is  in  the 
prefix  subsequence  of  T,  then  T”  is  in  the  prefix  subsequence  of  T.  Transitivity  is  a  natural  requirement, 
ensuring  a  basic  sort  of  consistency  among  the  prefixes  seen  by  related  transactions. 

Example: 

The  execution  in  the  previous  example  fails  to  be  transitive,  but  for  a  trivial  reason.  Namely, 
the  RKQUKSTfPIOI)  and  RKQUKST(PI02)  transactions  arc  assumed  to  execute  with  complete 
prefixes.  Since  the  MOVK-UP  which  generates  movc--up(P101)  sees  the  effects  of 
RFQUHSTfPlOl),  transitivity  would  imply  that  this  MOVK-UP  should  also  see  a  complete 
prefix,  which  is  not  what  happens.  However,  note  that  RKQUKST  and  CANCKL  transactions 
have  only  trivial  decision  parts,  so  they  would  cause  the  same  updates  to  be  generated  no  matter 
what  prefix  they  see.  'i'hcrcforc,  we  can  modify  the  execution  slightly,  assigning  each  of 
RKQUKST(PIOI)  and  RKQUKST(P102)  the  prefix  subsequence  consisting  of  the  first  198 
transactions,  without  changing  the  updates  generated.  The  resulting  modified  execution  is 
transitive. 


Another  restriction  which  might  be  useful  in  some  cases  is  to  require  that  some  particular  transaction  T 
must  run  with  the  complete  prefix.  Iliis  might  be  useful  for  very  crucial  transactions,  say  for  an  audit 
transaction  in  a  high-finance  banking  system:  it  might  be  desirable  for  audits  to  see  the  effects  of  all  the 
preceding  deposit,  withdrawal  and  transfer  transactions.  Although  we  have  not  done  so  in  this  paper,  it 
should  be  possible  to  prove  strong  correctness  results  about  transactions  running  with  complete  prefixes. 


Requiring  a  complete  prefix  is  very  restrictive.  Ilicrc  arc  some  variants  on  this  condition  which  arc  less 
restrictive  but  still  lead  to  some  very  useful  properties.  For  example,  we  might  limit  the  number  of  previous 
transactions  which  arc  not  visible  to  a  particular  transaction.  Namely,  transaction  1'  is  said  to  be  k-compleie  in 
execution  c  provided  that,  in  c,  1'  sees  the  results  of  all  but  at  most  k  of  the  preceding  transactions.  The 
k-complcicncss  condition,  for  a  particular  k,  docs  not  seem  to  be  a  natural  requirement  to  impose  on  an 
implementation,  since  in  general,  it  seems  difficult  to  guarantee  a  reliable  value  for  k.  (It  might  be  possible  to 


18 


obtain  an  estimate  of  this  value  by  considering  known  characteristics  of  the  message  system  together  with  the 
expected  rate  of  transaction  processing.)  However,  k-complctcncss  seems  to  be  more  useful  as  a  hypothesis 
for  conditional  claims  which  describe  the  behavior  of  the  system  in  different  situations,  for  different  values  of 

k. 

Another  kind  of  condition  which  limits  the  amount  of  concurrency  is  as  follows.  Let  G  he  a  group  of 
transaction  instances.  We  say  that  group  G  is  centralized  in  execution  c  provided  that,  in  c,  c;ich  of  the 
transactions  in  G  includes  in  its  prefix  subsequence  all  the  others  from  G  which  precede  it  in  the  complete 
prefix.  For  example,  it  might  be  useful  to  centralize  all  the  transitions  which  could  cause  the  cost  of  a 
particular  integrity  constraint  to  become  nonzero  (c.g.  all  the  withdrawal  transactions,  in  a  banking  system). 
Ihis  strategy  might  be  used  to  guarantee  that  this  cost  can  never  become  nonzero.  Alternatively,  it  might  be 
useful  to  centralize  all  the  transactions  which  affect  a  particular  object,  or  a  particular  portion  of  the  database. 
This  strategy  might  be  used  to  guarantee  serializable  execution  for  those  objects  or  portions  of  the  database. 

If  the  system  guarantees  that  transactions  in  G  arc  centralized,  it  might  be  useful  for  the  application 
programmers  and  users  to  imagine  the  existence  of  a  centralized  "agent”  for  G.  For  instance,  it  might  be 
useful  for  users  of  the  airline  system  to  think  of  a  single  agent  who  manages  all  the  MOVH-UPs  and 
MOVK- DOWNs,  i.c.  all  the  movement  between  WAIT— LIST  and  ASSIGN  LID-  LIST.  Ihis  abstraction 
could  be  useful  even  if  there  is  actually  no  such  centralized  agent,  but  rather  if  (using  some  locking  strategy, 
for  example),  the  agent  is  implemented  in  a  distributed  way. 

Some  specific  groupings  for  the  airline  reservation  system  arc  discussed  in  detail  in  Section  5,  along  with 


examples  of  correctness  conditions  that  result  from  this  requirement. 


Ihc  final  condition  presupposes  a  notion  of  time.  A  limed  execution  is  an  execution,  together  with  a 
nonnegative  real  number  ("real  time”)  for  each  transaction  instance.  'Dicsc  real  times  arc  intended  to  model 
the  times  at  which  die  transactions  arc  initiated.  In  the  event  that  the  transaction  order  is  determined  by 
timestamps,  these  real  times  need  not  be  the  same  as  the  timestamps,  and  in  fact  the  real  limes  need  not  even 
be  ordered  in  the  same  way  as  the  transaction  sequence.  However,  if  the  order  of  real  times  is  monotonic,  we 
say  that  the  timed  execution  is  orderly.  An  execution  is  said  to  have  t- bounded  delay  provided  that  the  prefix 
subsequence  of  each  transaction  T  includes  every  transaction  in  the  prefix  whose  real  time  is  at  least  t  smaller 
than  Ts  real  time.  Ihus,  each  transaction  can  see  the  effect  of  every  other  transaction  that  precedes  it  in  the 
transaction  ordering  and  is  not  too  recent 
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3J.  Implementation  Issues 

It  is  very  natural  to  use  the  conditions  described  in  the  preceding  subsections  as  the  correctness  conditions 
For  the  distributed  system  described  in  the  Introduction.  'Hie  system  is  able  to  assign  timestamps  in  some  way 
so  as  to  determine  a  total  ordering  of  the  transactions,  lhc  transactions  arc  initially  executed  at  one  node,  and 
then  information  about  the  transactions  is  sent  to  the  other  nodes,  The  nodes  can  undo  and  redo  actions  in 
order  to  ensure  that  as  new  updates  arc  seen,  each  succeeding  update  has  the  cfTcct  that  it  would  if  executed  in 
a  complete  prefix  state.  There  arc  a  number  of  optimizations  which  allow  the  system  to  avoid  undoing  large 
numbers  of  transactions  [UK],  and  optimized  storage  structures  make  this  process  even  more  efficient  [SKSJ. 

The  updates  only  arc  sent  around,  and  arc  undone  and  redone  to  yield  a  sequential  ordering,  'fhc  fact  that 
the  decision  parts  arc  not  redone  means  that  the  system  docs  not  satisfy  the  usual  notion  of  scrializability; 
however,  the  system  docs  satisfy  the  prefix  subsequence  property,  i.c.  that  every  transaction  sees  the  effects  of 
a  subsequence  of  its  prefix. 

It  should  be  clear  that  an  appropriate  distributed  communication  protocol  could  guarantee  transitivity, 
perhaps  by  piggybacking  information  about  known  transactions  on  messages. 

There  arc  a  number  of  ways  that  a  system  could  guarantee  the  subsequence  restrictions  described  in  the 
previous  subsection.  For  instance,  consider  centralization  of  the  transactions  in  G.  It  is  possible  to  force  all 
the  transactions  in  G  to  run  at  the  same  node  of  a  distributed  system.  Alternatively,  a  transaction  in  G  with 
timestamp  t  might  have  to  wait  till  it  receives  messages  from  all  nodes  saying  "I  will  issue  no  more  G 
transactions  with  timestamp  earlier  than  1"  This  type  of  concurrency  control  might  significantly  reduce 
system  availability.  The  probabilistic  concurrency  control  methods  of  [S]  provide  other  techniques  for 
obtaining  centralization. 

4.  Conditions  Guaranteed  by  the  Transactions 

This  section  describes  conditions  which  might  be  guaranteed  by  the  transactions,  analogous  to  preservation 
of  integrity  constraints  in  the  usual  development.  We  do  not  intend  to  require  that  all  of  these  conditions 
hold  for  all  sets  of  transactions;  rather,  we  expect  different  conditions  to  be  useful  in  different  applications. 
We  attempt  to  formulate  the  conditions  in  a  general  way,  so  that  they  might  apply  to  different  resource 
allocation  applications.  We  describe  how  the  conditions  apply  to  the  airline  reservation  system. 

The  first  subsection  defines  some  conditions  involving  costs  of  database  states.  Update  parts  of  transactions 
are  analyzed  to  determine  whether  or  not  they  have  the  potential  of  increasing  the  cost,  or  arc  guaranteed  to 
decrease  the  cost,  with  respect  to  a  particular  integrity  constraint 


The  second  subsection  discusses  conditions  involving  fairness,  a  property  particularly  important  in 
applications  in  which  certain  entities  compete  for  access  to  some  resource  or  service.  We  define  priority 
among  competing  entities,  and  prove  that  certain  conditions  ensure  that  transactions  preserve  priority. 


We  define  an  application  to  consist  of  a  collection  of  database  states,  (including  designation  of  initial  and 
well-formed  suites),  their  integrity  constraint  information  (including  costs),  and  a  set  of  transactions.  The 
properties  we  describe  in  this  section  arc  properties  of  applications. 

4.1.  Conditions  Involving  Costs 

We  say  that  an  application  is  initially  zero  cost  provided  that  Costfs^  =  0.  'I  hat  is,  all  die  integrity 
constraints  arc  satisfied  in  the  initial  daUibasc  state.  Clearly,  the  airline  system  is  initially  zero  cost. 

Another  interesting  property  would  be  that  a  transaction  T  "preserves  integrity",  just  as  it  is  required  to  do 
in  the  usual  concurrency  control  theory.  A  formal  statement  of  this  property  might  be:  "If  s  is  a  well-formed 
suite  with  cost(s)  =  0,  and  if  T(s,s)  =  s’,  then  cost(s')  =  0."  TTiis  says  that  if  T  runs  so  that  it  changes  the  same 
state  that  it  sees,  then  it  docs  not  cause  a  violation  of  the  integrity  constraints  if  they  were  previously  satisfied. 
(We  might  say  that  T  docs  not  cause  a  violation  of  the  integrity  constraints  "on  purpose".)  In  die  present 
setting,  a  more  general  kind  of  condition  is  appropriate,  which  also  involves  the  behavior  of  transactions  when 
the  costs  are  nonzero. 

We  begin  by  describing  a  very  strong  property  of  a  transaction  T  that  says  that  there  is  no  possibility  of  T 
ever  causing  an  increase  in  the  cost  for  constraint  i.  An  update  A  is  said  to  be  increasing  for  constraint  i 
provided  that  there  is  some  well-formed  s  for  which  cost(A(s),i)  >  cost(s.i).  That  is.  the  update  has  the 
potential  of  increasing  the  cost  of  constraint  i,  although  it  need  not  actually  do  so  in  all  circumstances. 
Otherwise,  i.c.  if  the  update  could  never  increase  the  cost  of  constraint  i.  A  is  said  to  be  non- increasing  for 
constraint  i.  A  transaction  1'  is  safe  for  constraint  i  provided  that  the  following  holds.  If  s  is  a  well-formed 
state  and  I).(j(s)  =  A,  then  A  is  noninercasing  for  constraint  i.  Otherwise,  i.c.  if  there  is  some  well-formed  s 
for  which  l).,(s)  is  increasing,  then  we  say  that  T  is  unsafe  for  constraint  L 

Example: 

In  the  airline  system,  the  rcqucst(P)  update  is  noninercasing  for  the  overbooking  constraint, 
but  is  increasing  for  the  underbooking  constraint,  since  in  suites  with  fewer  than  100  assigned 
people,  and  with  P  not  already  waitlisted  or  assigned,  this  request  causes  an  increase  in  cost  (of 
$300).  The  canccl(P)  update  is  also  noninercasing  for  the  overbooking  constraint,  but  is  increasing 
for  the  underbooking  constraint,  since  in  suites  with  at  most  100  assigned  people  (including  P)  and 
sufficiently  many  waitlisted  people,  this  cancellation  causes  an  increase  in  cost  (of  $300).  On  the 
other  hand,  the  movc-up(P)  update  is  increasing  for  the  overbooking  constraint,  since  in  states 
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wiih  at  least  100  assigned  people,  this  move-up  causes  an  increase  in  cost  (of  $900).  However,  it  is 
nonincrcasing  for  the  underbooking  constraint,  Finally,  the  movc-down(P)  update  is 
nonincrcasing  For  the  overbooking  constraint,  but  is  increasing  For  the  underbooking  constraint 
since  in  states  with  at  most  100  assigned  people,  this  move-down  causes  an  increase  in  cost  (oF 
$300). 


Example: 

'Hie  only  updates  that  arc  increasing  For  the  overbooking  constraint  arc  those  oF  the  Form 
movc-up(P).  Since  only  the  MOVK— UP  transaction  can  generate  a  movc-up(P)  update,  the 
other  transactions  arc  all  safe  For  the  overbooking  constraint.  However,  the  MOVK-  UP 
transaction  is  unsafe  for  the  overbooking  constraint.  On  the  oilier  hand,  the  MOVK-  UP 
transaction  is  safe  For  the  underbooking  constraint,  but  the  other  three  transactions  arc  all  unsafe 
For  the  underbooking  constraint. 

A  less  restrictive,  interesting  property  to  consider  might  be  intuitively  described  as:  "Transaction  T  docs 
not  increase  the  cost  of  integrity  constraint  i  on  purpose."  One  simple  Formal  way  of  suiting  this  property  is: 
"If  s  is  a  well-formed  state  and  if  T(s,s)  =  s’,  then  cost(s’.i)  <  cost(s,i).”  For  technical  reasons,  we  define  a 
slightly  stronger  Formulation,  as  Follows. 

We  say  that  transaction  T  preserves  the  cost  of  constraint  i  provided  that  the  Following  holds.  If  s  is  a 
well-formed  state.  T(s,s)  =  s’,  O.j  (s)  =  A  and  A  is  increasing  for  constraint  i,  then  costfs’.i)  =  0.  That  is.  the 
decision  part  of  a  transaction  T  will  only  invoke  an  update  part  that  (potentially)  increases  the  cost  of 
constraint  i.  when  the  state  that  T  believes  will  exist  after  the  update  runs,  will  have  a  cost  of  0  for  constraint  i. 
It  is  easy  to  see  that  this  condition  implies  the  simpler  Formulation  described  above.  Also,  it  is  obvious  that  if 
T  is  safe  For  constraint  i,  then  it  preserves  constraint  i. 

Example: 

We  show  that  all  transactions  preserve  the  cost  of  the  overbooking  constraint.  Since  all 
transactions  except  for  the  MOVK- UP  transaction  arc  safe  For  the  overbooking  constraint,  they 
preserve  the  overbooking  constraint.  'Ihc  MOVK-  UP  transaction  is  unsafe  for  the  overbooking 
constraint,  so  more  argument  is  required  in  this  ease.  Ihc  MOVK-  UP  transaction  only  generates 
a  movc-up(P)  update  from  a  suite  s  for  which  AMs)  <  100  and  Wl.(s)  >  0.  Then  the  state  s’ 
resulting  from  applying  the  movc-up(P)  update  to  s  has  AK(s’)  <  100,  and  thus  cost(s’.l)  =  0. 

Now  consider  the  underbooking  constraint.  The  MOVK- UP  transaction  is  safe  for  the 
underbooking  constraint,  and  hence  preserves  the  cost  of  the  underbooking  constraint.  We  also 
show  that  the  MOVK.-  DOWN  transaction  preserves  the  cost  of  the  underbooking  constraint. 

'Ihc  MOVK-  DOWN  transaction  only  generates  an  update  which  is  increasing  for  the 
underbooking  constraint  from  a  suite  s  for  which  AMs)  >  100.  'Ihcn  the  stale  s’  resulting  from 
applying  the  update  to  s  has  Al  .(s’)  >  100,  and  thus  cost(s’,2)  =  0. 
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On  the  other  hand,  it  is  easy  to  see  that  RI*!QUKST(P)  and  CANCKI  (P)  transactions  do  not 
preserve  the  cost  of  the  underbooking  constraint. 


Since  we  arc  working  in  a  setting  in  which  integrity  constraints  arc  not  always  satisfied,  i.c.  costs  may  be 
nonzero,  another  useful  property  of  transactions  might  be  that  they  actually  reduce  the  cost,  not  just  preserve 
it.  A  transaction  which  reduces  the  cost  for  an  integrity  constraint  can  be  regarded  as  a  "compensating 
transaction"  for  violations  of  that  integrity  constraint.  One  possible  formulation  is  as  follows.  We  say  that 
transaction  T  compensates  for  constraint  i  provided  that  the  following  holds.  If  s  is  wcll*formcd,  I  (s,s)  =  s . 
and  cost(s.i)  >  0.  then  costs’, i)  <  cost(s,i). 

| zinnia  1:  Assume  that  all  costs  arc  integral.  Assume  that T  compensates  for  constraint  i.  Then 
for  any  well-formed  s,  either  cost(s,i)  =  0.  or  there  is  some  integer  k  >  0  such  that  T(s,s)  =  s,. 
T(s,,s,)  =  Sj . ;r<sk.|.sk.,)  =  Sj  and  cost(sk,i)  =  0. 

Proof:  liy  repeated  application  of  the  definition.  I 

'Ihis  lemma  implies  that  if  compensating  transactions  arc  run  atomically  from  any  point  in  an  execution, 
using  any  available  prefix  subsequence,  they  will  eventually  result  in  an  apparent  stale  in  which  the  cost  of  the 

constraint  is  0.  Ihis  idea  can  be  stated  formally  as  follows. 

Corollary  2:  Assume  that  all  costs  arc  integral.  Assume  that  T  compensates  for  constraint  i.  Ixt 
c  be  any  finite  execution.  *U  any  subsequence  of  the  indices  of  c,  and  t  the  result  of  the  updates 
indexed  by  *U.  applied  to 

Then  either  cost(t,i)  =  0.  or  else  there  is  an  extension  of  c  to  another  execution,  by  an  atomic 
suffix  consisting  of  Ts  only,  such  that  the  prefix  subsequence  of  the  first  T  in  the  suffix  is  Tl.  t'  is 
the  apparent  state  after  the  last  transaction,  and  cost(t',i)  =  0. 


Example: 

It  is  easy  to  see  that  the  MOVK-  UP  transaction  compensates  for  the  underbooking  constraint, 
and  the  MOVK- DOWN  transaction  compensates  for  the  overbooking  constraint.  In  fact,  it  is 
possible  to  show  that  from  any  well-formed  state,  any  atomic  sequence  of  intermingled 
MOVK- UP  and  MOVK-!X)WN  transactions  which  contain  sufficiently  many  of  each  will 
eventually  reach  an  apparent  cost  ofO  for  both  integrity  constraints. 

Our  last  property  involving  costs,  bounds  the  increase  in  cost  that  can  result  from  the  execution  of  a 
bounded  number  of  transactions.  First,  we  say  that  s  <k  t  provided  that  there  is  a  sequence  of  updates 
leading  from  sQ  to  s,  and  a  subsequence  of  that  sequence  containing  all  but  at  most  k  of  the  updates,  such  that 
the  result  of  the  subsequence  applied  to  Sq  is  L  'I’hat  is,  slate  t  contains  all  the  information  in  state  s,  except 
possibly  for  the  effects  of  at  most  k  updates.  Then  we  say  that  function  f  bounds  the  cost  increase  for  integrity 
constraint  i  provided  that  the  following  holds.  For  well-formed  states  s  and  t,  if  s  t  then  costfs.il 
cosUti)  +  Uk).  Thus,  f(k)  bounds  the  increase  in  the  cost  of  integrity  constraint  i  that  can  be  incurred  by  k 
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transactions. 

Example: 

■ 

In  the  airline  reservation  system,  it  is  easy  to  see  that  900k  hounds  the  cost  increase  for  the 
overbooking  constraint,  while  300k  bounds  the  cost  increase  for  the  underbooking  constraint  \ 

Ixrmina  3:  Let  'll  be  an  atomic  subsequence  in  execution  c.  Let  s  be  the  actual  state  before  CU,  * 

and  s'  the  actual  state  after  *U.  I  x:t  t  be  the  apparent  state  before  *U,  and  t’  the  apparent  state  after  ! 

U  If  s  <k  t,  then  s’  <k  t*.  j 

Proof:  Straightforward.  I  , 

4.2.  Conditions  Involving  Fairness 

Another  property  of  interest  in  some  applications,  i.c.  those  in  which  certain  entities  compete  for  access  to  j 

some  resource  or  service,  is  "fairness".  In  order  to  be  able  to  suite  fairness  conditions,  we  extend  our 
application  model  to  include  the  competing  entities.  In  each  state,  we  designate  certain  entities  as  "known" 

(i.c.  currently  competing).  Also,  in  each  state,  we  assume  that  there  is  a  partial  order  on  the  known  entities 

which  describes  priority.  | 

t 

We  say  that  transaction  T  preserves  priority  provided  that  the  following  condition  holds.  If  s  is  a  well-  ! 

formed  suite  and  T(s.s)  =  s',  then:  (a)  If  P  and  Q  arc  both  known  in  s  and  also  in  s',  and  if  P  precedes  Q  in  s. 

then  P  precedes  Q  in  s’,  (b)  If  P  is  known  in  s  and  Q  is  not.  and  P  and  Q  arc  both  known  in  s',  then  P  precedes  j 

Q  in  s’. 

f 

t 

I 

Example:  \ 

< 

In  our  example,  the  people  arc  the  competing  entities.  In  any  state  s,  the  known  people  arc  I 

those  on  the  WAIT-  LIST  or  the  ASSIGNED—  LIST,  in  s.  For  P  and  Q  known  in  s,  we  define  P 
<  0  to  mean  that  either  P  precedes  Q  on  the  WAIT— LIST,  or  P  precedes  Q  on  the 
ASSIGNED-  LIST,  or  else  P  is  on  the  ASSIGNED-  LIS  T  and  Q  is  on  the  WAI  T-  LIST.  ITicn 
all  of  the  transactions  preserve  priority. 

A  stronger  property  is  also  of  interest  We  say  that  transaction  T  strongly  preserves  priority  provided  that  the 
following  condition  holds.  If  s  and  s’  arc  well-formed  suites  and  T(s,s’)  =  s”,  then:  (a)  If  P  and  Q  arc  both 
known  in  s’  and  also  in  s’’,  and  if  P  precedes  Q  in  s’,  then  P  precedes  Q  in  s'*,  (b)  If  P  is  known  in  s'  and  Q  is 
not,  and  P  and  Q  arc  both  known  in  s’’,  then  P  precedes  Q  in  s".  i 


Example: 

It  is  easy  to  see  that  the  REQUEST  and  CANCEL  transactions  strongly  preserve  priority,  but 
the  MOVE- UP  or  MOVE-  DOWN  transactions  do  not.  For  example,  consider  (lie 
MOVE- UP  transaction.  Assume  that  in  suite  s,  person  P  is  first  on  the  WAIT— LIS  T,  and  that 
transaction  T,  run  from  state  s,  generates  a  movc-up(P)  update.  In  suite  s',  P  is  on  the 


WAIT- 1 .1ST  but  is  not  the  first  person;  person  Q  is  first.  'Ihcn  the  movc-up(P)  action  still  moves 
P  to  the  end  of  the  ASSIGNKD-  LIST,  in  this  ease  moving  it  ahead  of  Q.  We  have  P  >  0  in  suite 
s’,  but  P  <  0  in  state  s".  Thus,  the  MOVK-  UP  transaction  is  capable  of  changing  the  relative 
priorities  of  P  and  Q. 

Similar  remarks  hold  for  the  MOVH—  DOWN  transaction. 

5.  Properties  or  the  Airline  Reservation  System 

'Ibis  section  illustrates  how  the  ideas  presented  in  the  previous  sections  can  be  used  to  prove  interesting 
properties  of  executions  of  a  particular  application,  the  Fly-by-Night  Airline  System.  Where  it  is  possible,  we 
state  the  results  in  a  general  way,  so  that  they  might  later  be  applied  to  other  examples. 

Proving  properties  of  executions  of  SI  I  ARI>likc  systems  is  far  more  difficult  than  for  systems  that  preserve 
scriali/ability.  It  is  necessary  to  consider  how  a  transaction's  updates  will  execute  on  arbitrary  well-formed 
database  suites,  not  just  the  database  state  seen  by  the  decision  part  With  current  techniques,  it  is  not  easy  to 
understand  how  transactions  and  updates  will  behave  in  all  possible  situations,  just  by  examining  the 
transaction  code.  Hven  some  of  the  relatively  simple-sounding  results  in  this  section  have  proofs  that  arc 
somewhat  delicate.  Our  hope  is  that  more  experience  with  examples  and  proofs  of  this  sort  will  eventually 
make  the  task  easier. 

'Die  first  subsection  gives  a  brief  discussion  of  some  policy  decisions  affecting  priority,  that  were  embodied 
in  the  application  design.  The  second  subsection  proves  upper  bounds  on  the  costs  of  database  states  that 
could  result  from  running  the  airline  reservation  system.  All  the  bounds  in  this  subsection  arc  proved  using 
the  assumption  that  transactions  see  the  effects  of  all  but  at  most  k  of  the  preceding  transactions.  The  cost 
bounds  arc  stated  in  terms  of  this  k.  The  third  subsection  refines  the  necessary  conditions  for  obtaining  these 
cost  bounds  and  sharpens  the  bounds.  The  results  in  this  subsection  require  only  that  transactions  see  the 
results  of  certain  critical  preceding  transactions,  rather  than  arbitrary  transactions. 

'Ihc  fourth  subsection  proves  results  which  rely  on  "central ization"  assumptions,  i.c.  that  some  transactions 
see  all  of  the  preceding  transactions  of  a  certain  type.  Using  centralization,  we  prove  that  some  integrity 
constraints  can  never  be  violated.  The  final  subsection  proves  some  fairness  properties. 

5.1.  Policy  Decisions 

Transactions  in  every  application  embody  certain  policy  decisions.  This  subsection  contains  two  examples 
which  illustrate  the  policy  decisions  embodied  in  the  Fly-by* Night  System. 

Example: 

Suppose  that  two  RF1QUKST(P)  transactions  occur  without  an  intervening  CANCKIXP).  Both 


RKQUKSTfP)  transactions  generate  rcqucst(P)  updates.  At  some  point,  it  might  be  necessary  to 
determine  the  effect  of  a  sequence  of  updates  including  both  of  these  requestfP)  updates.  Then 
the  second  requcsl(P)  would  be  applied  to  a  state  s  which  reflects  the  previous  occurrence  of  the 
earlier  requestfP).  Thus,  P  might  be  in  WAIT— LIST(s)  or  ASSIGNKD- l,IST(s);  in  this  ease, 
the  update  is  defined  to  have  no  effect.  The  policy  embodied  in  this  definition  is  that  if  a  person  P 
is  already  on  the  WAIT— LIST  or  ASSIGNKD—  LIST.  and  makes  a  duplicate  request,  the  new 
request  docs  not  change  P's  original  priority.  Alternative  policy  decisions  might  cause  the  second 
request  to  alter  die  priority  somehow. 

Example: 

It  is  possible  for  two  MOVK—  UP  transactions  to  occur  which  invoke  move— up(P)  updates  for 
the  same  P.  without  an  intervening  CANCKMP),  or  MOVK- DOWN  which  invokes  a 
movc-down(P)  update.  'ITiis  could  happen  if  the  second  MOVK- UP  transaction  is  initiated 
without  the  first  in  its  prefix  subsequence.  At  some  point,  it  might  be  necessary  to  determine  the 
effect  of  a  sequence  of  updates  including  both  of  diese  movc-up(P)  updates.  Then  the  second 
move— up(P)  would  be  applied  to  a  state  s  which  reflects  the  previous  occurrence  of  the  earlier 
rcqucst(P).  Ihcn  P  could  be  in  ASSIGNKD- 1  ,IST(s):  in  this  case,  the  update  has  no  effect.  'Ilic 
policy  embodied  in  this  definition  is  diat  if  a  person  P  is  already  on  die  ASSIGNKD—  US' I',  a  new 
attempt  to  assign  him  a  scat  docs  not  alter  P's  previous  priority.  Alternative  policy  decisions  might 
cause  the  second  movc-up(P)  to  alter  the  priority. 

5.2.  Cost  Bounds  Resulting  from  k-CompIctencss 

In  this  subsection,  we  prove  upper  bounds  on  the  costs  of  the  states  reachable  by  running  the  airline  system. 


All  the  bounds  in  this  subsection  arc  proved  using  the  k-compictcncss  assumption,  i.c.  the  assumption  that 
transactions  see  the  effects  of  all  but  at  most  k  of  the  preceding  transactions.  We  begin  with  some  preliminary 
lemmas. 

lemma  4:  let  c  be  an  execution,  and  T  a  k-compfctc  transaction  instance  in  c.  let  s  be  the 
actual  state  before  T  and  s'  the  actual  state  after  T,  in  c.  I  et  t  be  the  apparent  state  before  'I'  and  t’ 
the  apparent  state  after  T. 


1.  Then  s  <k  t  and  s’  <|k  t\ 


2.  let  i  be  a  constraint,  and  assume  that  f  bounds  the  cost  of  constraint  i.  Then  costfsj)  < 
cost(t,i)  +  (Ik)  and  costfs'.i)  ^  costft'.i)  +  fl[k). 


Proof:  Straightforward.  I 


The  following  theorem  shows  that  k-complctc  transactions  that  preserve  the  cost  of  a  constraint  arc 
guaranteed  not  to  make  the  cost  of  that  constraint  larger,  (except  in  the  special  ease  that  the  cost  is  very  small). 

Theorem  5:  let  e  be  an  execution,  and  T  a  k-complctc  transaction  instance  in  c.  let  i  be  a 
constraint,  and  assume  that  f  bounds  the  cost  for  constraint  i.  Assume  that  T  preserves  the  cost  of 
constraint  i.  I  et  s  be  the  actual  state  before  T  and  s'  the  actual  state  after  T,  in  c.  Ihcn  either 
cost(s’,i)  <  cost(s,i)  or  else  cost(s',i)  <,  f(k). 

Proof:  I  et  t  be  the  apparent  state  before  1'  and  t'  the  apparent  state  after  T.  Ihcn  t’  =  T(t,t). 
Assume  that  T  invokes  action  A  in  execution  c,  i.c.  that  D.^l)  =  A. 
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Assume  that  cost(s’,i)  >  cost(s,i).  Then  A  is  increasing  for  constraint  i.  Since  'I'  preserves  the  cost 
of  constraint  i.  it  follows  that  costft’.i)  =  0.  By  Ixmma  4,  cost(s\i)  <  cost(t’,i)  +  f(k)  =  f(k).  I 


We  can  specialize  the  preceding  results  to  obtain  bounds  for  the  airline  system. 

Corollary  6: 1  ct  c  be  an  execution  of  the  airline  system,  and  T  a  k -complete  transaction  instance 
in  c.  I  .ct  s  be  the  actual  state  before  T  and  s'  the  actual  state  after  ’I',  in  e. 

1.  IfT  is  any  transaction,  then  cithci  costfs’,1)  ^  cost(s,l)  or  else  cost(s',l)  <  900k. 

2.  IfT  is  a  MOVK-  UP  or  MOVK-  DOWN  transaction,  then  either  cost(s\2)  <  cost(s,2)  or 
else  cosl(s\2)  <  300k. 

Proof: 


1.  By  Lemma  5,  the  fact  that  all  transactions  preserve  the  overbooking  constraint,  and  the  fact 
that  900k  bounds  the  cost  increase  for  the  overbooking  constraint 

2.  By  lemma  5,  the  fact  that  MOVK- UP  and  MOVK-  DOWN  transactions  preserve  the 
underbooking  constraint  and  the  fact  that  300k  bounds  the  cost  increase  for  the 
underbooking  constraint 


The  previous  results  arc  enough  to  yield  an  upper  bound  for  the  overbooking  cost  (although  not  for  the 
underbooking  cost)  in  all  reachable  states.  We  obtain  such  an  upper  bound  for  the  overbooking  cost  as  a 
special  ease  of  the  following  more  general  theorem. 

Theorem  7:  Assume  that  the  application  has  the  property  that  all  transactions  preserve  the  cost 
of  constraint  i.  Ixt  c  be  an  execution.  I  jet  f  bound  the  cost  of  constraint  i.  Assume  that  all 
occurrences  of  transactions  that  arc  unsafe  for  constraint  i,  in  c,  arc  k-complctc.  Lx:t  s  be  any  state 
reachable  in  c.  Then  cost(s,i)  <  fl[k). 

Proof:  The  proof  is  by  induction  on  the  length  of  c.  ’Ihc  basis,  length  0,  is  immediate.  For  the 
inductive  step,  assume  that  the  length  of  c  is  at  least  1,  and  that  1'  is  the  last  transaction  in  c.  Lxt  s 
be  the  actual  state  before  T,  and  s’  the  actual  state  after  T. 

The  inductive  assumption  implies  that  cost(s,i)  <  ffk).  If  cost(s',i)  <<  cost(s.i),  the  claim  is 
immediate.  So  assume  that  cost(s',i)  >  cost(s,i);  then  T  is  unsafe  for  constraint  i.  and  so  T  is 
k-complctc  in  c,  by  assumption.  ITicn  Theorem  5  implies  that  cost(s\i)  <  f(k),  as  needed.  I 


Our  invariant  upper  bound  on  the  overbooking  cost  follows  as  a  corollary. 

Corollary  8:  Ixt  c  be  an  execution  of  the  airline  system.  Assume  that  all  MOVK- UP 
transactions  arc  k-complctc  in  c.  Ixst  s  be  any  state  reachable  in  c.  Then  cost(s,l)  <  900k. 

Proof:  By  Theorem  GKNKRAL-  INVARIANT-  BOUND,  the  fact  that  all  transactions 
preserve  the  overbooking  constraint,  the  fact  that  900k  bounds  the  cost  increase  for  the 
overbooking  constraint,  and  the  fact  that  only  MOVH-UP  transactions  arc  unsafe  for  the 
overbooking  constraint  I 


We  would  also  like  to  obtain  an  analogous  invariant  upper  bound  for  the  underbooking  cost 


Unfortunately,  such  a  bound  docs  not  hold  for  our  airline  system,  since  it  can  fail  in  an  execution  where  many 
requests  or  cancellations  arrive  in  rapid  succession  without  sufficient  intervening  MOVE-  UPs.  In  order  to 
prove  an  upper  bound  on  the  underbooking  cost,  it  appears  to  be  necessary  to  assume  something  about  the 
MOVE-  UP  transactions  occurring  sufficiently  frequently. 


To  be  specific,  we  define  a  partition  Q  of  the  indices  of  c  into  groups  consisting  of  consecutive  indices  to  be 
a  grouping  of  c  for  constraint  i  provided  that  each  group  satisfies  one  of  the  following. 

(a)  It  consists  of  exactly  one  index  j.  and  transaction  Tj  preserves  constraint  i. 

(b)  If  t  is  the  apparent  state  after  die  group,  then  costfti)  =  0. 

That  is,  we  will  consider  instances  of  transactions  that  preserve  the  cost  of  constraint  i  individually,  but  we  will 
consider  other  transactions  together,  paying  special  attention  to  points  during  the  execution  where  the 
transactions  believe  they  have  reduced  the  cost  of  the  constraint  to  0.  Of  course,  not  every  execution  will  have 
such  a  grouping,  but  if  the  application  contains  a  compensating  transaction  for  constraint  i,  lemma  2  implies 
that  executions  with  such  groupings  arc  abundant.  The  normal  states  of  c.  with  respect  to  a  particular 
grouping,  arc  just  those  states  which  arc  reachable  after  the  groups,  i.c.  the  actual  states  after  the  groups. 


The  next  theorem  says  that,  if  we  restrict  attention  to  normal  states  only,  an  invariant  upper  bound  holds  for 
the  underbooking  constraint 

Theorem  9:  l.ctc  be  an  execution  and  5  a  grouping  of  c  for  constraint  i.  Assume  that  f  bounds 
the  cost  of  constraint  i.  Assume  that  all  transactions  that  preserve  the  cost  of  i,  as  well  as  all 
transactions  that  occur  at  the  ends  of  groups,  arc  k-complctc  in  c.  Ljet  s  be  any  normal  state 
reachable  in  c.  Then  cost(s,i)  <  f(k). 

Proof:  By  induction  on  the  length  of  c.  The  basis,  length  0,  is  immediate.  For  the  inductive 
step,  assume  that  the  length  of  c  is  at  least  1,  and  that  T  is  the  last  transaction  in  c.  Ixt  s  be  the 
actual  state  before  1',  and  s'  the  actual  state  after  T.  let  t  be  the  apparent  state  before  T,  and  t'  the 
apparent  state  after  T.  Ihcrc  arc  only  two  eases  that  need  to  be  considered. 

If  T  is  the  last  transaction  in  a  group,  then  cost(t',i)  =  0.  Since  1'  is  k-complctc,  Ijcmma  4 
implies  that  cost(s',i)  <  cost(t\i)  +  f(k),  =  f(k),  as  needed. 

Otherwise.  'I'  is  a  transaction  that  preserves  the  cost  of  constraint  i,  and  occurs  alone  in  a  group. 

Ihcn  s  is  a  normal  state  in  c.  The  inductive  assumption  implies  that  cost(s,i)  <  ffk).  If costfs’.i) 
cost(s,i),  the  claim  is  immediate.  So  assume  that  costfs’.i)  >  cost(s,i).  Then  llicorcm  5  implies  that 
cost(s\i)  <  Rk),  as  needed.  I 


'ITic  preceding  theorem  specializes  immediately  to  our  example.  The  RHQUHST  and  CANCEL 
transactions  arc  the  ones  that  do  not  preserve  the  underbooking  constraint,  while  the  MOVE-  UP  transaction 
compensates  for  that  constraint.  Thus,  executions  which  have  groupings  for  the  underbooking  constraint  can 
be  constructed  by  including  a  sequence  of  MOVE- UP  transactions  immediately  after  each  REQUEST  and 
after  each  CANCEL  transaction. 


iiiv 


Corollary  10:  lit  c  be  an  execution  and  Q  a  grouping  of  c  for  the  underbooking  constraint 
Assume  that  all  MOVK-  UP  and  MOVK-  DOWN  transactions,  as  well  as  all  transactions  that 
occur  at  the  ends  of  groups,  arc  k -complete  in  c.  Ixt  s  be  any  normal  state  reachable  in  c.  Then 
cost(s,2)  <,  300k. 

'Ihus,  under  suitable  k-complctcncss  assumptions,  combined  with  assumptions  about  frequency  of 
compensating  transactions,  we  can  prove  invariant  upper  bounds  on  the  costs  in  all  reachable  states  (or  all 
normal  reachable  states). 

The  ideas  used  to  prove  the  preceding  results  can  be  used  to  say  more.  Consider  an  execution  c  in  which 
costs  become  very  large  (because  k-complctcncss  or  frequency  assumptions  fail).  If  there  is  ever  a  time  during 
the  execution  after  which  good  completeness  and  frequency  properties  begin  to  hold,  it  is  easy  to  see  that 
correspondingly  good  upper  bounds  will  be  reestablished.  For  instance,  we  can  get  a  result  of  this  type  for  the 
underbooking  constraint,  using  the  ideas  of  Corollary  AIRI.INK- HOUND— 4.  If  we  assume  that  the 
required  transactions  arc  k -complete  from  some  point  on  in  the'  execution,  then  (once  the  next  compensating 
group  has  occurred),  the  underbooking  cost  satisfies  an  upper  bound  of  300k.  On  the  other  hand,  if  we  want 
to  obtain  a  similar  result  for  the  overbooking  cost,  we  cannot  base  it  on  the  simple  ideas  of  Corollary  8. 
Rather,  we  would  have  to  use  ideas  similar  to  those  used  for  the  underbooking  cost.  At  some  point  alter 

t 

k -completeness  begins  to  hold  in  the  execution,  we  would  hypothesize  a  group  of  MOVK-  DOWNs.  bringing 
the  apparent  overbooking  cost  to  0,  in  order  to  compensate  for  any  excess  overbooking  cost  With  such  a 
hypothesis,  an  eventual  900k  bound  on  the  overbooking  cost  could  be  proved.  We  omit  formal  statements  of 
these  results  here. 

It  is  possible  to  combine  the  results  of  Corollaries  8  and  AIRLINK—  BOUND— 4  to  get  a  single  invariant 
upper  bound  on  the  total  cost  for  the  airline  system.  For  example,  we  obtain  the  following. 

Corollary  II:  lx:t  c  be  an  execution  and  (j  a  grouping  of  c  for  the  underbooking  constraint. 
Assume  that  all  MOVE- UP  and  MOVK- DOWN  transactions,  as  well  as  all  transactions  that 
occur  at  the  ends  of  groups,  arc  k -complete  in  c.  Let  s  be  any  normal  state  reachable  in  c.  'ITicn 
cost(s)  £  900k. 

Proof:  Immediate  from  Corollaries  8,  AIRLINK- BOUND-4  and  the  fact  that  every  wcll- 
formed  state  has  either  cost(s,l)  =  0  or  cost(s,2)  =  0.  I 

We  finish  this  subsection  with  a  closer  look  at  the  kinds  of  improvements  that  arc  guaranteed  by 
compensating  transactions.  For  example,  it  would  be  nice  to  have  a  lemma  which  says  that  a  k-complctc 
transaction  which  compensates  for  constraint  i,  is  guaranteed  to  actually  improve  the  cost  of  constraint  i, 
unless  that  cost  is  small.  Unfortunately,  this  is  not  true.  Although  the  compensating  transaction  might  "try" 
to  improve  matters,  it  is  possible  that,  because  of  missing  information  from  its  own  prefix,  it  might. not 
succeed  in  doing  so.  For  example,  a  MOVE-  DOWN  transaction  might  observe  too  many  people  on  the 


ASSIGNHD-I.IST.  and  might  therefore  invoke  a  move-down  update.  But  if  it  happens  to  invoke  a 
move -down  for  a  person  who  had  actually  cancelled  in  the  interim,  that  move -down  will  not  improve  the 
actual  cost 

We  do  know,  however,  that  running  the  transaction  several  times  in  succession  (atomically)  can  guarantee 
actual  improvement  More  precisely,  we  obtain  the  following. 

licmma  12:  Assume  that  all  costs  arc  integral,  lit  f  bound  the  cost  of  constraint  i.  Assume  that 
T  compensates  for  constraint  i.  Ixt  c  be  any  finite  execution,  Hi  any  subsequence  of  the  indices  of 
c.  containing  ail  but  at  most  k  of  the  indices  in  c,  and  let  s  be  the  actual  state  after  c. 

Then  either  cost(s,i)  <  f(k).  or  else  there  is  an  extension  of  c  to  another  execution,  by  an  atomic 
suffix  consisting  of  Ts  only,  such  that  the  prefix  subsequence  of  the  first  T  in  the  suffix  is  Hi,  s'  is 
the  actual  state  after  the  last  transaction,  and  cost(s'.i)  ^  ffk). 

Proof:  I  xt  t  be  the  result  of  Hi  applied  to  s^  'I  "hen  s  <k  L  By  Corollary  2,  either  cost(U)  =  0.  or 
else  there  is  an  extension  of  c  to  another  execution,  by  an  atomic  suffix  consisting  of  Ts  only,  such 
that  the  prefix  subsequence  of  the  first  T  in  the  suffix  is  Hi.  f  Is  the  apparent  state  after  the  last 
transaction,  and  cost(t’,i)  =  0.  If  cost(t,i)  =  0.  then  since  s  <k  t,  it  follows  that  cost(s,i)  <  cosi(U) 

+  ffk)  =  f(k),  as  needed.  Otherwise,  Ixmma  3  implies  that  s'  <k  t\  and  socost(s',i)  <  cost(t',i)  + 
f(k)  =  ffk),  as  needed.  I 

This  theorem  specializes  to  the  airline  system  as  follows. 

Corollary  13:  let  c  be  any  finite  execution  of  the  airline  system.  Hi  any  subsequence  of  the 
indices  of  c.  containing  all  but  at  most  k  of  the  indices  in  c,  and  let  s  be  the  actual  state  after  c. 

1.  Hither  cost(s,l)  <,  900k.  or  else  there  is  an  extension  of  c  to  another  execution,  by  an  atomic 
suffix  consisting  of  MOVH-  DOWNS  only,  such  that  the  prefix  subsequence  of  the  first  T 
in  the  suffix  is  Hi,  s'  is  the  actual  state  after  the  last  transaction,  and  cost(s',l)  £  900k. 

2.  Hither  cost(s,2)  <,  300k,  or  else  there  is  an  extension  of  c  to  another  execution,  by  an  atomic 
suffix  consisting  of  MOVH-  UPs  only,  such  that  the  prefix  subsequence  of  the  first  T  in  the 
suffix  is  Hi,  s'  is  the  actual  state  after  the  last  transaction,  and  cost(s',2)  <,  300k. 

Thus,  the  cost  bounds  of  this  subsection  limit  the  damage  that  can  be  caused  when  transactions  operate  with 
a  bounded  amount  of  missing  information.  As  noted  before,  the  bounds  we  obtain  arc  intuitive  rather  than 
surprising.  However,  we  know  of  no  way  to  prove  these  sorts  of  intuitive  statements  in  earlier  frameworks. 

We  note  that  it  is  possible  to  obtain  more  refined  versions  of  the  results  in  this  subsection.  Generally,  it  is 
not  actually  necessary  that  the  indicated  transactions  sec  all  but  k  of  the  entire  set  of  preceding  transactions. 
Rather,  only  certain  types  of  preceding  transactions  arc  important  in  each  ease,  since  they  suffice  to  determine 
the  results  of  critical  decisions.  For  instance,  in  Corollary  8,  it  is  not  necessary  that  the  MOVH- UPs  be 
k -complete;  for  example,  it  would  suffice  for  them  to  see  all  but  k  of  the  preceding  MOVH-  UP  and 
KHQUHST  transactions.  We  examine  this  issue  more  closely  in  the  next  subsection. 


5  J.  More  Refined  Cost  Bounds 

in  this  subsection,  we  reconsider  some  of  the  results  of  the  preceding  subsection.  We  sharpen  those  results 
so  that  they  only  require  that  transactions  see  the  results  of  certain  critical  preceding  transactions,  rather  than 
arbitrary  preceding  transactions.  The  results  in  this  subsection  give  detailed  information  that  is  specialized  to 
our  application:  thus,  they  arc  not  stated  in  very  general  terms.  However,  it  seems  that  the  general  approach 
used  in  this  subsection  should  extend  to  other  applications. 

We  begin  by  proving  some  basic  lemmas  about  sequences  of  updates.  It  is  helpful  to  think  of  these  results 
in  terms  of  an  automaton  whose  states  represent  (abstractions  of)  the  global  states  of  die  database,  and  whose 
state-transitions  represent  the  updates.  ('Die  decision  parts  of  transactions  arc  not  modelled  by  this 
automaton.)  The  sequence  of  updates  which  occur  in  an  execution  is  modelled  by  a  padi  in  the  automaton. 
We  arc  interested  in  identifying  subsequences  of  a  sequence  of  updates,  which  arc  guaranteed  to  lead  to  the 
same  suite  in  the  automaton  as  docs  die  whole  sequence.  If  a  transaction  executes  seeing  only  such  a 
subsequence  as  its  prefix  subsequence,  it  would  be  guaranteed  to  have  accurate  information. 

I  «t  JL  be  a  sequence  of  updates  (of  the  Fly-by-Night  airline  system)  and  P  a  person.  As  assignment  witness 
for  P  in  JL  is  an  ordered  pair  of  updates,  (A.B),  from  JL,  satisfying  the  following  conditions. 

(a)  A  is  a  rcqucst(P)  update.  II  is  a  move-  up(P)  update,  and  A  precedes  B  in  JL 

(b)  'I'hcrc  are  no  canccl(P)  updates  after  A  in  JL 

(c)  'I'hcrc  arc  no  move-down(P)  updates  after  B  in  JL. 

A  wailing  witness  for  P  in  JL  is  either  of  die  following: 

(1)  An  update  A.  from  JL  satisfying  the  following  conditions. 

(a)  A  is  a  rcqucst(P)  update. 

(b)  There  arc  no  canccl(P)  or  movc-up(P)  updates  after  A  in  JL 

(2)  A  pair  (A.B)  of  updates  satisfying  the  following  conditions. 

(a)  A  is  a  rcqucst(P)  update,  B  is  a  move  -  down(P)  update,  and  A  precedes  B  in  JL 

(b)  ’I'hcrc  arc  no  canccl(P)  updates  after  A  in  jL. 

(c)  There  arc  no  move-  up(P)  updates  after  B  in  .4. 

Recall  that  a  person  is  known  in  a  given  state  s  if  he  is  either  in  ASSIGNED-  LIST(s)  or  WAIT-  I  .IST(s). 
liCmma  14:  Ixt  JL  be  a  sequence  of  updates,  and  s  the  state  resulting  from  applying  -4  to  s^.  Ixt 
P  be  a  person. 

(a)  P  is  known  in  state  s  exactly  if  there  is  a  rcqucst(P)  update  in  JL  which  is  not  followed  by  a 
canccl(  P)  update. 

(b)  P  is  in  ASSIGNED-  UST(s)  exaedy  if  there  is  an  assignment  witness  for  P  in  JL 

(c)  P  is  in  WAIT-  I.IST(s)  exactly  if  there  is  a  waiting  witness  for  P  in  JL 

Proof:  By  analysis  of  the  possible  state  transitions.  I 


For  the  next  several  lemmas,  we  use  the  Following  notation.  I  xt  jt  be  a  Unite  sequence  oF  updates  and  let  3ft 
be  a  subsequence  oF  X  I.ct  s  be  die  state  which  results  From  applying  -4.  to  sfl.  and  let  t  be  the  state  which 
results  From  applying  3ft  tosg.  The  next  lemmas  relate  the  states  s  and  L 

lamina  15:  l.ct  P  be  a  person.  Assume  dial  P  is  in  ASSIGNKD-  I.IST(s),  and  let  (A.B)  be  an 
assignment  witness  For  P  in  A.  Assume  that  31  contains  both  updates  A  and  B.  Then  P  is  in 
ASSIGNKD-  MST(t). 

Proof:  By  definition  oF  an  assignment  witness.  A  is  a  rcqucst(P)  update,  B  is  a  movc-up(P) 
update,  and  A  precedes  B  in  A.  Also,  JL  contains  no  canccl(P)  updates  after  A  and  no 
movc-down(P)  updates  after  It.  Now,  3ft  contains  both  A  and  B,  in  that  order.  Also,  3ft  cannot 
contain  any  canccl(P)  updates  after  A  or  movc-down(P)  updates  after  B.  since  there  arc  none  in 
JL.  Thus.  (A.B)  is  an  assignment  witness  For  P  in  3ft.  Lemma  14  implies  dial  P  is  in 
ASSIGNKD- LISTU).  I 

I  .emma  16:  l.ct  P  be  a  person.  Assume  that  P  is  in  WAIT-LIST(s).  Assume  diat  at  least  one  of 
die  Following  holds. 

(a)  A  is  a  wailing  witness  For  P  in  JL,  and  3ft  contains  update  A. 

(b)  (A.B)  is  a  waiting  witness  For  P  in  JL  and  3ft  contains  both  updates  A  and  B. 

Then  Pis  in  WAIT- I.ISiYt). 

Proof:  Similar  to  the  proof  of  I  .emma  TWO.  I 

The  preceding  two  lemmas  will  be  applied  in  eases  where  JL  denotes  the  entire  sequence  of  updates 
preceding  a  particular  transaction  T.  while  36  denotes  the  subsequence  of  updates  actually  seen  by  T.  'ITic 
lemmas  imply  that  if  T  sees  certain  of  the  preceding  transactions,  and  a  person  P  is  actually  on  die 
ASSIGNKD- LIST  or  WAIT- LIST,  then  T  is  guaranteed  to  know  it.  On  the  other  hand,  die  next  several 
lemmas  deal  with  the  opposite  implication;  they  describe  circumstances  under  which  a  transaction  that 
believes  that  a  person  P  is  actually  on  the  ASSIGNKD— LIST  or  WAIT— LIST,  is  guaranteed  to  be  correct. 

lamina  17:  Let  P  be  a  person.  Assume  that  3ft  contains  the  laslcanccl(P)  update,  if  any,  in  JL.  If 
P  is  known  in  t,  then  P  is  known  in  s. 

Proof:  Assume  P  is  known  in  L  'llicn  lemma  14  implies  that  there  is  a  rcqucst(P)  update  in  3ft 
which  is  not  Followed  by  a  canccl(P)  update  in  3ft.  lliis  rcqucst(P)  update  also  occurs  in  JL  and 
there  arc  no  canccl(P)  updates  after  the  rcqucst(P)  in  jL  since  3ft  contains  the  last  canccl(P)  update 
from  JL.  Therefore,  I  .emma  14  implies  that  P  is  known  in  s.  I 

lemma  18:  Let  P  be  a  person.  Assume  that  3B  contains  the  last  movc-down(P)  update,  if  any, 
in  A.  Also  assume  that  3ft  contains  the  last  canccl(P)  update,  if  any,  in  A.  IF  P  is  in 
ASSIGNKD-  LIST(t).  dicn  P  is  in  ASSIGNKD-  LIST(s). 

Proof:  Assume  that  P  is  in  ASSIGNKD- LIST(t).  'llicn  Lemma  14  implies  dial  there  is  an 
assignment  witness  (A.B),  for  P  in  3ft.  Thus,  A  is  a  rcqucst(P)  update  and  B  is  a  movc-up(P) 
update,  A  precedes  B  in  36.  there  arc  no  canccl(P)  updates  in  36  after  A  and  dicrc  arc  no 
movc-down(P)  updates  in  36  after  B.  Updates  A  and  B  also  appear  in  A,  in  that  order.  Ilicrc  arc 
no  canccl(P)  updates  after  A  in  A,  since  3ft  contains  the  last  canccl(P)  update  (if  any)  in  A. 
Similarly,  there  arc  no  movc-down(P)  updates  after  B  in  A.  'Ihus,  (A.B)  is  an  assignment  witness 
for  P  in  A.  Lemma  14  implies  that  P  is  in  ASSIGNKD- LIST(s).  I 

liCmma  19:  Let  P  be  a  person.  Assume  that  36  contains  the  last  move-  up(P)  update,  if  any.  in  . 

A.  Also  assume  that  3ft  contains  the  last  canccl(P)  update,  if  any,  in  A.  IF  P  is  in  WAIT—  I  .IST(l). 
then  Pis  in  WAIT- IJST(s). 


v*  y  < 


W'y.-'  .'■’.'V*'.' 


%»  **  *»  I.  a 


_*•  _T,' 


Proof:  Analogous  to  the  proof  of  I  .emma  ONK.  I 


Again,  we  can  apply  the  preceding  three  lemmas  to  die  ease  where  JL  denotes  the  entire  sequence  of 
updates  preceding  a  particular  transaction  T,  and  CJ&  denotes  the  sequence  of  updates  actually  seen  by  T.  The 
lemmas  imply  that  if  T  sees  certain  of  the  preceding  transactions,  then  T  is  guaranteed  to  know  that  a 
particular  P  is  not  on  die  ASSIGN  KD- 1 .1ST  or  WAIT—  LIST. 


Now  we  can  prove  refined  versions  of  the  results  of  the  previous  subsection.  Since  the  notation  and  details 
become  somewhat  unwieldy,  we  present  versions  of  Corollaries  6  and  13  only,  and  omit  the  others. 

'nicorcm  20: 1  xt  c  be  an  execution  of  the  airline  system,  and  T  a  transaction  instance  in  c.  I  ct  s 


be  the  actual  state  before  T  and  s'  the  actual  state  after  T,  in  c. 


1.  Assume  that  there  arc  at  most  k  persons  P  such  that  P  is  in  ASSIGNKD—  I.IST(s)  but  the 
prefix  subsequence  seen  by  T  fails  to  include  an  assignment  witness  for  P.  'I hen  either 
cost(s’,l)  <  cost(s.l)  or  else  costs’,  1)  <  900k. 


2.  Assume  that  T  is  a  MOVK-  UP  or  MOVK—  DOWN  transaction.  Assume  that  there  arc  at 
most  k  persons  P  such  that  P  is  not  in  ASSIGNKD- I.IST(s)  but  the  prefix  subsequence 
seen  by  T  fails  to  include  either  the  last  canccl(P)  or  the  last  move-  down(P)  from  A  'Ihcn 
either  cost(s’,2)  <  cosl(s,2)  or  else  cost(s',2)  <  300k. 


Proof:  Let  t  be  the  apparent  state  before  T  and  t*  the  apparent  state  after  T.  'Ihcn  t*  =  T(t,t). 
Assume  that  T  invokes  action  A  in  execution  c,  i.c.  that  D.,.(t)  =  A. 


1.  Assume  that  cost(s’,l)  >  cost(s,l).  'Ihcn  T  is  a  MOVK-  UP  transaction,  A  is  a  move- up 
update,  and  Alj(t)  <  100.  For  all  persons  P  in  ASSlGNKI)-LlST(s),  except  for  the  k 
exceptions  described  in  the  hypothesis,  I  .emma  15  implies  that  P  is  in 
ASSIGNKD- LIST(t).  Ihcrcforc,  AMs)  <,  AMt)  +  k<  100  +  k.  It  follows  that  A  l<s')  < 
100  +  k,  and  so  cost(s’,l)  <  900k. 


2.  Assume  that  cost(s’,2)  >  cosl(s,2).  Then  T  is  a  MOVK- DOWN  transaction,  A  is  a 
move-down  update,  and  AMt)  >  100.  For  all  persons  P  in  ASSIGNKD-  I.IST(t),  except 
for  the  k  exceptions  described  in  the  hypothesis.  Lemma  18  implies  that  P  is  in 
ASSIGNKD-  I.IST(s).  Ihcrcforc,  AMs)  £  A(t)  -  k  >  100  -  k.  It  follows  that  AMs’)  >  100 
-  k,  and  so  cost(s\2)  <  300k. 


Theorem  21:  Let  c  be  any  finite  execution  of  the  airline  system,  'll  any  subsequence  of  the 
indices  of  c,  and  let  s  be  the  <ictual  state  after  c. 


1.  Assume  that  there  arc  at  most  k  persons  P  such  that  P  is  in  ASSIGNKD-  I.IST(s)  but 
fails  to  include  an  assignment  witness  for  P. 

Then  either  cost(s,l)  <  900k.  or  else  there  is  an  extension  of  c  to  another  execution,  by  an 
atomic  suffix  consisting  of  MOVK-  DOWNs  only,  such  that  the  prefix  subsequence  of  the 
first  T  in  the  suffix  isftl.s'  is  the  actual  state  after  the  last  transaction,  and  costs',  1)  <  900k. 


2.  Assume  that  there  arc  at  most  k  persons  P  such  that  P  is  in  WAIT-  LIS' T(s)  but  fails  to 
include  a  waiting  witness  for  P.  Also  assume  that  for  all  but  at  most  k  persons  P,  if  P  is  not 
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in  ASSIGNKD- I.IST(s),  then  'll  includes  the  last  canccl(P)  (if  my)  from  c.  and  'U. 
includes  the  last  move— down(P)  (if  any)  from  c. 

Then  either  cost(s.2)  <  300k.  or  else  there  is  an  extension  of  c  to  another  execution,  by  an 
atomic  suffix  consisting  of  MOVK-  UPs  only,  such  that  the  prefix  subsequence  of  the  first 
T  in  the  suffix  is  *11,  s'  is  the  actual  state  after  die  last  transaction,  and  cosl(s',2)  <  300k. 

Proof:  Ixt  t  be  the  result  of 'll  applied  u>  Sq. 

1.  Ily  Corollary  2,  either  cost(t,l)  =  0,  or  else  there  is  an  extension  of  c  to  another  execution,  by 
an  atomic  suffix  consisting  of  MOVK-  DOWNs  only,  such  dial  the  prefix  subsequence  of  the  first 
T  in  die  suffix  is  91,  such  that  t’  is  the  apparent  state  after  the  suffix,  and  cost(t',l)  =  0. 

First  assume  cost(t.l)  =  0.  'ITicn  AMO  <  100.  I,ct  P  be  any  person  in  ASSIGNKD-  IIST(s). 
If  P  is  not  one  of  the  k  exceptions  described  in  the  hypodicsis.  then  I  .emma  IS  implies  Uiat  P  is  in 
ASSIGNKD- I.IST(t).  It  follows  that  AMs)  <  AMO  +  k  <  100  +  k,  so  cost(s,l)  <,  900k.  as 
needed. 

Second,  assume  that  the  extension  exists.  Then  AMO  <  100.  I.ct  the  actual  suite  after  the 
suffix  be  s’.  l.ct  P  be  any  person  in  ASSIGNKD- UST(s’).  ITicn  P  is  also  in 
ASSIGNKD-  I.IST(s),  since  the  suffix  docs  not  add  anyone  to  the  assigned  list.  If  P  is  not  one  of 
the  k  exceptions  described  in  the  hypothesis,  dicn  Lemma  IS  implies  that  P  is  in 
ASSIGNKD- I.IST(t).  None  of  the  MOVK- DOWNs  in  the  suffix  could  have  generated  a 
movc-down(P),  since  if  one  did,  then  P  would  not  be  in  ASSIGNKD-  LIST(s’).  Therefore.  P  is 
in  ASSIGNKD-  LlST(t’).  It  follows  that  AMs’)  <  AMO  +  k  <  100  +  k.  socost(s’.l)  <  900k. 

2.  By  Corollary  2,  either  cost(t.2)  =  0,  or  else  there  is  an  extension  of  e  to  another  execution,  by 
an  atomic  suffix  consisting  of  MOVK-  UPs  only,  such  that  die  prefix  subsequence  of  the  first  T  in 
the  suffix  is  fti,  t’  is  the  apparent  state  after  the  suffix,  and  cost(t’,2)  =  0. 

First  assume  cost(t,2)  =  0.  Then  either  AMO  >  100  or  else  WM0  =  0.  Let  P  be  any  person  in 
WAIT-UST(s).  If  P  is  not  one  of  the  k  exceptions  described  in  the  hypodicsis.  then  Lemma  16 
implies  diat  P  is  in  WAI  T-  LIST(t).  It  follows  that  WMs)  <  WM0  +  k.  Let  P  be  any  person  in 
ASSIGNKD—  LIST(t).  If  P  is  not  one  of  die  k  exceptions  described  in  the  hypothesis,  then 
Lemma  18  implies  diat  P  is  in  ASSIGNKD-  LlST(s).  It  follows  that  AMO  <  AMs)  +  k.  Thus, 
cidicr  WMs)  <  k  or  else  AMs)  >  100  *  k.  Thus,  cost(s,2)  <  300k. 

Second,  assume  that  the  extension  exists.  I  "hen  cidicr  AMO  >  100  or  else  WMO  =  0.  Let  die 
actual  state  after  the  suffix  be  s’.  Let  P  be  any  person  in  WAIT- LIS' T(s’).  Then  P  is  also  in 
WAIT-LIST(s),  since  the  suffix  docs  not  add  anyone  to  the  wait  lisL  If  P  is  not  one  of  the  k 
exceptions  described  in  die  hypothesis,  dicn  Lemma  16  implies  that  P  is  in  WAIT- LIS' T(t). 
None  of  die  MOVK- UPs  in  the  suffix  could  have  generated  a  movc-up(P),  since  if  one  did. 
then  P  would  not  be  in  WAIT  -LIST  (s’).  Therefore,  P  is  in  WAIT-LIST(t’).  So  WMs’)  £ 
Wl.(t')  +  k. 

Now  let  P  be  any  person  in  ASSIGNKD—  LIST(t’).  ’ITicn  P  must  be  known  in  t,  since  otherwise 
the  move-ups  in  the  suffix  could  not  put  P  into  ASSIGNKD- LIST(t’).  If  P  is  in 
ASSIGNKD- I.IST(t),  and  P  is  not  one  of  the  k  exceptions  described  in  the  hypothesis,  then 
I-cmma  18  implies  that  P  is  in  ASSIGNKD- I.IST(s)  and  hence  in  ASSIGNKD-  LIST(s’).  On 
the  other  hand,  if  P  is  in  WA!T-L!ST(t),  and  P  is  not  one  of  diese  same  k  exceptions,  then 


Ixmma  17  implies  that  P  is  known  in  s.  Since  P  is  in  ASSIGNED- LIST(t’).  a  move— up(P) 
occurs  in  (he  suffix.  Ihcn  P  is  in  ASSIGNED—  LIST(s’).  So  Al.(s’)  >  Al.(t')  -  k.  It  follows  that 
either  Wl  /s’)  <  k  or  Al  /s’)  >  100  -  k.  In  either  ease,  cost(s\2)  <  300k. 

I 

It  is  also  possible  to  give  refined  versions  of  Corollaries  8, 10,  and  1 1.  We  omit  the  details. 

5.4.  Cost  Bounds  Resulting  from  Centralization 

In  this  subsection,  we  give  two  results  which  describe  conditions  under  which  overbooking  cannot  occur  at 
all.  'Ihcsc  conditions  involve  fairly  strong  centralization  assumptions.  The  basic  idea  is  that  if  all  the 
move— up  decisions  arc  made  centrally,  it  should  not  be  possible  to  overbook.  However,  in  order  to  prove 
this  result,  it  is  necessary  for  us  to  make  some  technical  restrictions  involving  the  requests. 

Theorem  22:  Let  c  be  a  transitive  execution.  Assume  that  the  MOVE- UP  transactions  arc 
centralized  in  c.  Assume  that  for  each  P.  the  transactions  that  generates  updates  involving  P  arc 
centralized  in  c.  Let  s  be  any  state  reachable  in  c.  'Ihcn  cost(s,l)  =  0. 

Proof:  Ihc  proof  is  by  induction  on  the  length  ofc.  Ihc  base  ease,  where  the  length  of  c  is  0,  is 
easy.  So  assume  that  the  length  of  c  is  at  least  one.  Ixt  T  be  the  last  transaction  in  c.  1  .ct  t  be  the 
apparent  state  before  T  and  f  the  apparent  state  after  T.  I  ct  s  be  the  actual  state  before  T,  and  s’ 
the  actual  stile  after  T.  Let  A  be  the  actual  sequence  of  updates  preceding  T,  and  let  S  be  the 
sequence  whose  effects  arc  seen  by  T. 

’Ihc  inductive  assumption  says  that  cost(s,l)  =  0.  Ihc  only  way  that  cost(s’.l)  can  be  nonzero  is 
if 'I*  is  a  MOVK-  UP  transaction  which  generates  a  move- up  update.  ’Ihcn  Al/t)<  100. 

We  claim  that  ASSIGNED-  LIST(s)  C  ASSIGNED-  LIST(t).  If  this  is  so,  then  AL(s)  <  100. 
so  Al  /s’)  <  100  and  cost(s’,l)  =  0,  as  needed. 

So  fix  P  in  ASSIGNED- LIST(s).  Ihcn  there  is  an  assignment  witness  for  P  in  A.  Ihc 
move— up(P)  of  the  pair  also  appears  in  °J&,  since  the  MOVE— UP  transactions  arc  centralized. 

'Ihc  rcqucst(P)  of  the  pair  appears  in  the  prefix  seen  by  the  movc-up(P),  since  the  transactions 
generating  P  updates  arc  centralized.  Ihcrcforc,  the  rcqucst(P)  also  appears  in  CJ&.  by  transitivity. 
'Ihus,  3D  contains  the  assignment  witness,  and  Lemma  15  implies  that  P  is  in 
ASSIGNED- LIST(t).  I 

’Ihc  second  result  of  this  subsection  is  just  a  minor  variant  of  the  first,  with  an  alternative  technical 
restriction  on  the  requests. 

Theorem  23:  Ixt  c  be  a  transitive  execution.  Assume  that  the  MOVE- UP  transactions  arc 
centralized  in  c.  Assume  that  for  each  P,  there  is  at  most  one  REQUEST(P)  transaction  in  c.  Ixt  s 
be  any  state  reachable  in  c.  'Ihcn  cost(s,l)  =  0. 

Proof:  Ihc  proof  is  nearly  identical  to  the  preceding  one.  Ihc  only  difference  is  in  the  argument 
that  the  rcquest(P)  is  in  the  subsequence  seen  by  the  movc-up(P).  We  know  that  somc_ 
rcqucst(P)  appears  in  the  subsequence  seen  by  the  movc-up(P)  action,  for  otherwise  that  action 
would  not  have  been  invoked.  Since  there  is  only  one  such  rcqucst(P),  die  claim  holds.  I 


Of  course,  it  would  be  better  if  we  could  prove  the  same  result  only  assuming  centralization  of  MOVK-  UP 
transactions  and  transitivity,  and  not  making  any  assumptions  about  die  transactions  generating  updates  for 
the  same  person.  But  this  stronger  statement  is  not  true,  as  is  shown  by  the  following  example. 

Hi (ample: 

Consider  an  execution  which  consists  of  a  succession  of  blocks  of  4  transactions  each, 

R  KQU  KST(P1 ).  CA  NCI  'I  .(PI ).  RKQUKST(P1),  MOVK- UP. 

RKQUIST(P2).  CANCHUP2).  RKQUKST(P2),  MOVK-  UP . 

RKQUI-ST(P101),CANCKI.(PI01).  RIX)UHSI(PIOI),  MOVK- UP. 

’Ilic  successive  MOVK— UP  transactions  produce  updates  move -up(Pl ),...,  movc-up(PlOl). 

This  execution  is  possible  if  each  of  the  first  100  MOVK—  UP  transactions  secs  the  first  request  in 
the  same  block,  but  not  the  cancel  or  the  second  request.  Hie  last  MOVH-  UP  sees  all  the 
previous  MOVH'- UP's  and  the  requests  that  they  see,  plus  the  cancels.  Then  this  last 
MOVH-  UP  will  think  that  die  earlier  MOVH-  UP’s  acted  erroneously,  and  that  there  is  really  no 
one  on  die  assigned  list.  It  will  dicrcforc  decide  to  move  P10I  up.  Hie  cost  after  diis  execution  is 
nonzero. 

Similar  results  to  those  in  diis  section  should  be  provable,  at  least  in  principle,  for  die  underbooking  cost. 
However,  the  centralization  assumptions  that  appear  to  be  needed  arc  so  strong  that  the  results  do  not  seem 
very  interesting. 

5.5.  Fairness 

In  this  subsection,  we  consider  fairness  properties  of  the  airline  reservation  system.  As  before,  die  results 
arc  stated  in  terms  of  the  specific  example,  but  the  techniques  appear  to  generalize  to  odicr  applications. 

For  this  section,  we  make  the  following  very  strong  assumption.  We  assume  that  all  MOVK-  UP  and 
MOVH-  IX)WN  transactions  arc  centralized:  thus,  there  is  essentially  one  "agent"  making  all  decisions 
about  seat  assignment.  It  remains  to  be  seen  whether  diis  assumption  can  be  weakened,  while  still  permitting 
proof  of  interesting  fairness  claims. 

Recall  the  definition  of  passenger  priority  from  Section  4.2:  we  say  P  <  Q,  for  known  P  and  Q.  to  mean  that 
either  P  precedes  Q  on  the  WAIT- HIS  T,  or  P  precedes  Q  on  the  ASSIGNKI)-  HIST,  or  else  P  is  on  the 
ASSIGNKU- 1 .1ST  and  Q  is  on  die  WAIT- LIST. 

Kanina  24:  Let  A  be  a  sequence  of  updates,  and  let  S  be  a  subsequence  of  A.  Let  P  and  Q  be 
people.  Assume  that  CJ&  contains  all  move -up  and  move -down  updates  from  A.  Also  assume 
that  °Jl  contains  all  the  request  and  cancel  updates  for  P  and  Q,  from  A.  Let  s  be  the  result  of  A 
and  t  the  result  of  applied  to  s0.  Then  P  <  Q  in  t  if  and  only  if  P  <  Q  in  s. 

Proof:  Hie  updates  in  A  which  arc  not  included  in  arc  only  request  and  cancel  updates  for 
persons  other  than  P  and  Q.  These  cannot  affect  Uic  relative  priority  of  P  and  Q.  I 


The  following  theorem  says  that,  under  certain  restrictions,  the  relative  priority  of  two  requests  is 
determined  at  the  lime  the  "agent"  for  MOVK-  UP  and  MOVK—  IX)WN  transactions  first  learns  about  both 
requests.  Thus,  except  for  an  initial  period  of  uncertainty  during  which  llie  agent  has  not  yet  learned  about 
the  requests,  their  relative  priority  is  fixed. 

Theorem  25:  i.ct  c  be  a  transitive  execution.  Assume  that  the  MOVK- UP  and 
MOVK  -  DOWN  transactions  arc  centralized.  Let  P  and  Q  be  people  each  of  whom  has  exactly 
one  RKQUKST  transaction,  but  no  CANCKI.  transactions,  in  c.  Let  T  be  a  MOVL— UP  or 
MOVK- DOWN  transaction  having  both  RKQUKST(P)  and  RKQUKSI(Q)  in  its  prefix 
subsequence.  Let  t  be  the  apparent  suite,  and  s  the  actual  state,  before  T.  If  P  <  Q  in  t,  then  also  P 
<  0  <n  s  and  all  other  actual  database  suites  occuring  later  in  c. 

Proof:  First,  we  show  that  P  <  Q  in  s.  Let  A  be  the  sequence  of  updates  preceding  T,  and  CA  the 
subsequence  actually  seen  by  'I'.  The  centralization  assumption  implies  that  CJ&  contains  all 
move  — up  and  move  — down  updates  from  A.  Hie  other  assumptions  imply  that  contains  all 
the  request  and  cancel  updates  for  P  and  Q,  from  X  Then  I  .cnima  24  implies  that  P  <  Q  in  s. 

Assume  that  T.  is  die  first  transaction  (T  or  later)  after  which  it  is  false  that  P  <  Q.  Let  t(  be  die 
apparent  state  before  T.  and  t.’  the  apparent  suite  after T(.  I  .ct  s(  be  die  actual  slate  before  T,  and 
Sj’  die  actual  state  after  T(.  Then  P  <  0  in  Sj  but  not  in  Sj\  The  only  possibility  is  that  T,  is  a 
MOVK- UP  or  MOVK- DOWN  transaction  that  causes  die  order  of  P  and  Q  to  become 
interchanged;  dius,  Q  <  P  in  s.\ 

We  claim  that  P  <  Q  in  t,.  Let  A  be  the  sequence  of  updates  preceding  T,,  and  let  CA  be  the 
subsequence  actually  seen  by  Tr  CJ5  contains  all  die  moving  updates  from  A ,  by  the  centralization 
assumption.  Also,  6JB  contains  the  requests  for  P  and  Q,  since  the  subsequence  seen  by  T  docs,  T  is 
cidicr  equal  to  Tj  or  else  is  in  Tj’s  subsequence,  and  transitivity  holds.  Ilius,  applying  I  .cinma  24, 
the  orderings  in  tL  and  Sj  arc  the  same,  so  P  <  Q  in  tj. 

Now  we  claim  dial  Q  <  P  in  tj\  This  follows  using  Ixmma  24,  since  Q  <  P  in  Sj\  But  if  P  <  Q  in 
t,  and  T,(t|,t,)  =  tp  dicn  P  <  Q  in  tp  since  all  transactions  preserve  priority.  ITiis  yields  a 
contradiction.  I 

We  can  interpret  the  preceding  theorem  as  follows.  We  might  imagine  that  at  die  actual  flight  time,  next 
January  1,  the  complete  execution  becomes  known  to  the  check-in  attendant  Ihc  people  that  he  actually 
allows  to  proceed  onto  the  airplane  arc  die  100  people  who  show  up,  who  have  the  highest  priority  in  die  final 
database  suite.  (CANCKI.  transactions  can  be  run  for  die  others,  and  dicn  sufficiently  many  MOVK,-  UP  or 
MOVK— IX)WN  transactions  to  cause  Al.  to  equal  100  or  WL  to  equal  0.)  If  P  and  Q  had  previously  become 
known  to  die  "agent"  for  MOVK-  UP  and  MOVK-  IX)WN  transactions,  with  P  <  Q,  and  if  P  and  Q  both 
show  up,  if  Q  gets  onto  Might  1,  then  so  docs  P. 

Example: 

Our  transaction  definitions  can  lead  to  die  following  behavior  for  passengers’  relative  priorities. 
Assume  that  RKQUKSI(P)  precedes  RKQUKST(Q).  but  die  rcqucsl(Q)  update  becomes  known 
to  die  "agent"  before  the  rcquest(P)  update.  ’I  hen  a  move-up(Q)  can  occur,  which  moves  Q  up 


past  I*.  I.aict\  a  movc-down(Q)  can  occur.  When  this  happens,  our  definitions  say  that  0  gets  put 
at  the  head  of  the  WAIT—  1 .1ST.  ahead  of  P.  Subsequently,  the  moving  agent  can  learn  about  llic 
rcquest(P)  also.  At  dial  point,  Q  <  l\  so  by  Ihcorcm  25.  Q  remains  ahead  of  P.  I'his  happens  even 
though  there  is  sufficient  information  in  the  system  to  allow  for  Q  to  be  placed  on  the 
WAIT— LIST  after  P,  which  is  in  keeping  with  Uicir  timestamp  order  for  requests.  'Ihus.  the 
order  obtained  in  the  final  state  is  determined  by  die  order  at  the  time  a  MOVH- UP  or 
MOVH- DOWN  transaction  first  sees  both  requests,  but  is  not  necessarily  determined  by  the 
actual  order  in  which  the  requests  were  initially  made. 

It  is  possible  to  redesign  the  application  to  respect  the  original  request  order  in  diis  situation.  It 
suffices  to  include  request  timestamps  explicitly  in  die  database.  l-ach  of  the  two  lists  would 
always  be  kept  sorted  according  to  timestamp  order.  'Ilius.  when  the  rcquest(P)  becomes  known 
to  the  agent,  he  would  insert  P  ahead  of  Q  on  the  waiting  list.  (More  precisely,  when  the 
movc-down(O)  is  run  from  a  suite  in  which  P  is  on  the  waiting  list.  Q  is  not  placed  at  the  head  of 
the  waiting  list,  but  radier  is  inserted  in  timestamp  order,  after  P.)  This  relative  position  would  be 
mainuiincd  from  then  on. 

'Ihcorcm  25  makes  a  claim  about  relative  priorities  at  times  after  a  conceptual  "agent"  learns  about  two 
requests.  In  order  for  diis  condition  to  be  meaningful  as  a  correctness  claim,  the  user  must  have  a  fairly 
detailed  and  sophisticated  conceptual  model  of  system  operation,  including  prefix  subsequences  and  agents. 
It  might  also  be  interesting  to  state  fairness  claims  which  involves  a  less  dcLiilcd  conceptual  model.  For 
example,  we  might  want  to  suite  a  condition  which  could  be  paraphrased  aa  follows.  "If  a  RHQUHST(P)  is 
made  sufficiently  earlier  than  a  RHQUHST(Q),  then  P  must  precede  Q  in  the  final  state.”  The  following 
lemma  can  be  used  to  infer  such  a  property. 

Lemma  26:  I  .ct  c  be  a  transitive  execution.  Assume  that  the  MOVH-  UP  and  MOVH-  DOWN 
transactions  arc  centralized.  Let  P  and  Q  be  people  each  of  whom  has  exactly  one  RHQUHST 
transaction,  but  no  CANCHI.  transactions,  in  c.  Assume  that  RHQUHST(P)  precedes 
RHQUHS'I  (Q)  in  c.  Further  assume  that  any  MOVH-  UP  or  MOVH-  DOWN  transaction  that 
has  RHQUF’ST(Q)  in  its  prefix  also  has  RHQUHST(P)  in  its  prefix.  Then  P  <  Q  in  any  actual  state 
reached  during  c  in  which  both  P  and  Q  arc  known. 

Proof:  Assume  the  contrary,  and  let  T  be  the  first  transaction  in  c  such  that  Q  <  P  in  the  actual 
database  state  after  T.  Let  t  be  the  apparent  state  before  and  f  the  apparent  suite  after  T.  Let  s  be 
die  actual  state  before  and  s’  the  actual  suite  after  T.  Ihcn  Q  <  P  in  s’  but  not  in  s. 

First,  we  claim  dial  T  must  be  a  moving  transaction.  If  T  were  a  RF.QUHST(P)  transaction,  dicn 
the  RHQUHS  I  (Q)  cannot  be  reflected  in  s’  since  it  occurs  after  RHQUHST(P).  All  other  eases  can 
be  ruled  out  by  similar  trivial  arguments.  So  T  is  a  moving  transaction;  thus,  P  and  0  aic  known 
in  s,  so  dial  P  <  Q  in  s.  The  only  possibilities  arc  that  T  is  a  MOVH-  UP  transaction  that  moves  Q 
up  past  P,  or  that  T  is  a  MOVH-  DOWN  transaction  that  moves  P  down  past  Q.  For  either  of 
these  to  happen,  at  least  one  of  rcqucst(P)  and  rcqucst(Q)  must  be  in  the  prefix  subsequence  of  T. 

Case  1:  T  has  both  rcqucst(P)  and  rcqucst(Q)  in  its  prefix  subsequence. 

Then  both  P  and  Q  arc  known  in  t  If  P  <  Q  in  t,  then  Theorem  25  implies  that  P  <  Q  in  s’,  a 
contradiction.  On  die  other  hand,  if  Q  <  P  in  t,  then  Ihcorcm  25  implies  diat  Q  <  P  in  s,  again- a  - 
contradiction. 


Case  2:  T  has  only  rcqucstfl*),  but  not  rcqucst(0).  in  its  prefix  subsequence. 

'Ilicn  T  must  be  a  MOVH- DOWN  which  moves  I*  down  past  O-  Therefore.  0  must  be  in 
ASSIGNKI)—  UST(s).  But  in  order  for  this  to  occur,  there  must  be  some  MOVI;.-  UP 
transaction  'I”  appearing  earlier  Uian  T  in  c,  which  moves  Q  up;  clearly.  rcqucst(Q)  must  be  in  die 
prefix  subsequence  of  T.  T  is  in  the  prefix  subsequence  of  T.  since  the  moving  transactions  arc 
centralized.  By  transitivity,  rcqucst(Q)  is  in  the  prefix  subsequence  of  T.  This  is  a  contradiction.  I 

We  can  use  this  lemma  to  obtain  a  theorem  of  the  form  we  described  earlier,  i.c.  that  if  RHQUHST(P) 
occurs  sufficiently  long  before  RHQUHST(Q)  (and  other  suitable  conditions  hold),  then  P  retains  priority 
over  Q.  All  that  is  needed  is  an  additional  assumption  that  if  RHQUHST(P)  occurs  sufficiently  long  before 
RHQUHST(Q),  then  any  MOVK-UP  or  MOV  hi-  DOWN  transaction  that  has  rcqucst(Q)  in  its  prefix  also 
has  rcqucst(P)  in  its  prefix. 

'Ilicorcni  27;  Let  c  be  a  transitive,  orderly  timed  execution  having  t-bounded  delay.  Assume 
dial  the  MOVH- UP  and  MOVH-  DOWN  transactions  arc  centralized.  Ixt  P  and  Q  be  people 
each  of  whom  has  exactly  one  RHQUHST  transaction,  but  no  CANCKI.  transactions,  in  c. 
Assume  dial  RKQUKST(P)  precedes  RHQUHST(Q)  by  at  least  time  t,  in  c.  Ihcn  P  <  Q  in  any 
actual  state  reached  during  c  in  which  both  P  and  Q  arc  known. 

Proof:  The  t-bounded  delay  assumption  and  orderliness  imply  that  any  MOVH- UP  or 
MOVH- DOWN  diat  has  RHQUHST(Q)  in  its  prefix  also  has  RBQUHST(P)  in  its  prefix.  Ihc 
previous  lemma  dicn  yields  the  result.  I 

6.  Conclusions 

In  this  paper,  we  have  given  precise  correctness  conditions  for  a  highly  available  replicated  database  system 
such  as  CCA’s  SHARD.  First,  we  gave  basic  definitions  for  the  SHARD  database  and  transaction  model.  We 
then  described  assumptions  about  how  the  system  runs  the  transactions,  followed  by  assumptions  about 
applications.  Finally,  these  two  types  of  assumptions  were  combined  to  prove  some  interesting  properties  of  a 
particular  running  application,  an  airline  reservation  system.  Although  die  example  is  simple,  it  is  illustrative 
of  a  large  class  of  important  rcsourcc-allocadon  problems. 

'Ihc  assumptions  about  how  the  system  must  run  the  transactions  (in  particular,  the  prefix  subsequence 
condition)  have  been  described  in  a  very  general  way.  They  embody  a  new  model  for  data  processing,  which 
is  quite  different  from,  and  imposes  new  structure  on,  the  traditional  models  used  in  concurrency  control 
theory.  We  expect  that  this  model  will  prove  very  fruitful  for  future  research  and  for  application  design. 

In  describing  our  assumptions  about  the  airline  reservation  application,  we  have  tried  to  be  as  general  as 
possible.  'Hie  types  of  assumptions  we  have  listed  seem  to  be  very  appropriate  for  resource  allocation 
applications,  but  we  do  not  believe  that  dicy  comprise  a  complete  set  of  interesting  application  assumptions. 
It  is  likely  that  study  of  additional  examples  will  yield  other  interesting  types  of  assumptions  as  well. 


The  particular  properties  proved  for  our  application  involve  bounds  on  the  costs  attributable  to  violations  of 
integrity  constraints,  and  fairness.  For  other  resource  allocation  applications,  similar  cost  bound  and  fairness 
results  should  be  provable. 


The  system  exhibits  nonscrializablc  behavior,  so  that  being  able  to  prove  interesting  conditions  is  an 
accomplishment.  In  the  usual  development,  no  guarantees  at  all  can  be  proved  in  ease  information  about  any 
preceding  transaction  is  missing.  In  contrast  we  can  prove  interesting  properties  even  with  incomplete 
information.  Moreover,  small  changes  in  available  information  lead  to  small  changes  in  costs  for  integrity 
constraints. 

ITic  analysis  required  to  obtain  some  of  our  results  has  been  very  delicate.  TTiis  is  because  it  is  necessary  to 
consider  how  updates  will  execute  in  many  possible  situations,  not  just  from  the  database  state  seen  by  the 
decision  parts  of  their  transactions.  Another  difficulty  is  that  SHARD  docs  not  impose  any  a  priori 
restrictions  on  tine  kinds  and  orders  of  transactions  that  arc  submitted  and  processed.  The  need  to  consider 
tine  behavior  of  transactions  in  the  presence  of  arbitrary  preceding  transactions,  and  arbitrary  partial 
knowledge  about  the  past,  makes  the  analysis  of  SHARD  transactions  more  difficult  than  for  ordinary 
(serializable)  transactions.  Rut  this  kind  of  analysis  seems  unavoidable;  whether  or  not  a  formal, 
mathematical  analysis  is  carried  out  for  a  particular  application,  application  programmers  do  need  to  consider, 
at  least  informally,  how  transactions  will  behave  in  the  presence  of  arbitrary  preceding  transactions  and 
arbitrary  partial  knowledge  about  the  past  We  provide  a  framework  for  this  kind  of  analysis,  but  more  needs 
to  be  done  to  develop  appropriate  styles  of  programming  and  methods  of  analysis. 

A  next  step  in  this  research  should  be  the  consideration  of  other  example  applications.  Additional  resource 
allocation  examples  should  be  examined,  such  as  examples  from  banking  and  inventory  control.  Other, 
non-rcsourcc-allocation,  examples  should  be  studied.  Some  examples  appropriate  for  SHARD  might  involve 
"distributed  data  structures".  The  highly-availablc  distributed  dictionary  studied  in  |FM]  is  one  example  that 
fits  the  SHARD  framework,  and  there  should  be  others.  Also,  it  has  been  claimed  that  name  servers  such  as 
Grapevine  [B]  have  interesting  but  nonscrializablc  behavior;  it  seems  likely  that  they  can  be  described  within 
our  framework.  Still  other  appropriate  examples  might  arise  from  real-time  control. 

For  each  of  these  examples,  simple  prototypes  could  be  defined,  capturing  die  essential  behavior  of  the 
example.  Study  of  these  prototypes  should  determine  the  appropriate  properties  to  prove  in  each  ease.  Cost 
bounds  and  fairness  should  reappear,  but  other  properties  should  also  be  of  interest.  It  is  important  to  look 
for  general  methods  of  programming  and  analysis. 

Other  theoretical  work  also  seems  possible,  l  or  instance,  we  have  described  some  interesting  automaton 


structure  in  Section  S.J.  This  structure  could  be  studied  and  generalized.  Also,  it  should  be  possible  to  obtain 
complexity  results.  Particular  examples  of  desirable  application  behavior  could  be  studied  individually,  and 
costs  (c.g.  amount  of  communication,  or  local  storage)  determined  for  achieving  correct  behavior. 


On  the  systems  design  side.  SHARI)  itself  needs  to  be  generalized  in  at  least  two  important  ways.  Kirst,  the 
inessential  full  replication  assumption  needs  to  be  removed.  Kven  with  only  partial  replication,  it  should  be 
possible  to  continue  to  maintain  the  correctness  conditions  we  describe  in  this  paper,  by  judicious  assignment 
of  data  and  transactions  to  nodes,  (i.c.  in  such  a  way  that  each  transaction  will  have  copies  of  all  die  data  it 
requires).  It  should  even  be  possible  to  allow  some  of  the  data  which  transactions  read  to  be  present  in 
summary  form,  rather  than  in  its  full  detail.  Second,  the  SHARI)  work  needs  to  be  integrated  with  earlier 
work  on  scrializability.  It  should  be  possible  to  build  an  application  system  in  which  certain  critical 
transactions  run  scrializably,  while  the  others  run  in  a  highly  available  manner.  The  application  designer 
should  be  able  to  specify  the  modes  of  operation  for  different  transactions.  As  tine  system  design  gets 
extended,  die  theory  also  needs  to  be  extended  to  incorporate  these  two  generalizations. 

It  is  apparent  to  us  that  there  is  an  interesting  theory  to  be  developed,  for  proving  properties  of 
nonscrializablc  highly  available  replicated  database  systems.  We  believe  that  this  paper  gives  some  useful 
ideas  on  how  to  begin. 
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